Commentary

Legislative Cyber Threats: CISA’s Not the Only One

If anyone in the United States Senate had any doubts that the proposed Cyber Information Sharing Act (CISA) was universally hated by a range of civil society groups, a literal blizzard of faxes should’ve cleared up the issue by now.

What’s not getting attention is a CISA “alternative” introduced last week by Sens. Mark Warner (D-Va) and Susan Collins (R-Me). Dubbed the “FISMA Reform Act,” the authors make the following claims about the bill:

This legislation would allow the Secretary of Homeland Security to operate intrusion detection and prevention capabilities on all federal agencies on the .gov domain.

The bipartisan bill would also direct the Secretary of Homeland Security to conduct risk assessments of any network within the government domain.

The bill would allow the Secretary of Homeland Security to operate defensive countermeasures on these networks once a cyber threat has been detected.

The legislation would strengthen and streamline the authority Congress gave to DHS last year to issue binding operational directives to federal agencies, especially to respond to substantial cyber security threats in emergency circumstances.

The bill would require the Office of Management and Budget to report to Congress annually on the extent to which OMB has exercised its existing authority to enforce government wide cyber security standards.

On the surface, it actually sounds like a rational response to the disastrous OPM hack. Unfortunately, the Warner-Collins bill has some vague or problematic language and non-existent definitions that make it potentially just as dangerous for data security and privacy as CISA.

The bill would allow the Secretary of Homeland Security to carry out cyber security activities “in conjunction with other agencies and the private sector” [for] “assessing and fostering the development of information security technologies and capabilities for use across multiple agencies.”

While the phrase “information sharing” is not present in this subsection, “security technologies and capabilities” is more than broad—and vague—enough to allow it.

The government needs to get the basics of online security right, and stop trying to impose an Orwellian, one-size-fits-all approach to cyber defense for the rest of us.

The bill would also allow the secretary to “acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic.”

If your spouse works at a federal agency and you email them, that email—if deemed relevant to an alleged cyber threat under an undefined, subjective standard—could be shared across multiple federal agencies—all because the bill lacks any definition of what constitutes a “cyber threat.”

If the email in question actually contained malicious code—even if your spouse had no knowledge that it did so—you can pretty much count on all hell breaking loose as the federal spouse, the non-federal spouse, and anyone who had inadvertently passed along an infected email to the non-federal spouse all get grilled by DHS and the FBI about their “involvement” in cyber crime, alleged or real.

The bill also allows the head of a federal agency or department “to disclose to the Secretary or a private entity providing assistance to the Secretary…information traveling to or from or stored on an agency information system, notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.” (Emphasis added.)

So confidential, proprietary or other information otherwise precluded from disclosure under laws like HIPAA or the Privacy Act get waived if the Secretary of DHS or an agency head feel that your email needs to be shared with a government contracted outfit like the Hacking Team for analysis. And the bill explicitly provides for just this kind of cyber threat analysis outsourcing:

(3) PRIVATE ENTITIES.—The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic in accordance with this subsection.

The bill further states that the content of your communications,

will be retained only if the communication is associated with a known or reasonably suspected information security threat, and communications and system traffic will not be subject to the operation of a countermeasure unless associated with the threats. (Emphasis added.)

“Reasonably suspected” is about as squishy a definition as one can find.

Both of these bills are classic examples of Washington politicians feeling like they need to “do something” to meet the “cyber threat”. In the case of the OPM hack, Congress and the agencies do need to up their cyber defense game—but not by engaging in dubious (if not downright reckless) “cyber information sharing” schemes or offering bills that would actually increase, not decrease, the public’s vulnerability to online threats.

The OPM hack, like the Sony hack last year, was the product of poor security practices—and the means of preventing those kinds of security failures are well known but insufficiently ingrained in the culture of the affected organizations. The government needs to get the basics of online security right, and stop trying to impose an Orwellian, one-size-fits-all approach to cyber defense for the rest of us.

Patrick G. Eddington was senior policy advisor to Rep. Rush Holt for over 10 years. He is currently a Policy Analyst in Homeland Security and Civil Liberties at the Cato Institute.