After reading the latest version of this bill, not only do we agree with this assessment, but our critique goes much further.
CISA authorizes Internet service providers to share virtually unlimited personal identifying information (PII) on huge numbers of individuals based upon undefined “cyberthreat indicators,” all without judicial review or any indication of actual wrong‐doing (e.g., guilt by association would likely be enough to target both you and everyone you know).
Our colleague, Jennifer Granick, spelled out some of the implications. “Imagine you are the target of a phishing attack: Someone sends you an e‐mail attachment containing malware. Your e‐mail service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security (DHS), and they’re curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your e‐mail company please share all your e‐mails with the government? Knowing more about you, investigators might better understand the attack.”
Not only is that scenario likely, but by collecting personal information and storing it in a massive government data warehouse, CISA will dramatically increase everyone’s vulnerability in future hacking attacks.
Given the federal government’s abysmal track record when it comes to protecting its own data, the likelihood of another serious breach remains high. In essence, CISA will make everything you do and say online less safe and more susceptible to government eavesdropping.
In short, CISA is anti‐cybersecurity and it’s a recipe for making existing problems far worse.
Fortunately, solutions exist for helping prevent the kinds of data breaches that are currently plaguing our government, and they don’t necessarily require Congress to pass new laws. Instead, we need government to take a fundamentally different approach to data and cybersecurity.
As former OPM director Katherine Archuletta told a Senate committee in June before her resignation, one of the OPM breaches occurred because an outside contractor’s username and password were compromised – giving the hackers seemingly legitimate and widespread access to government databases. But left unanswered was why so much personal information on federal employees, retirees, or job seekers was available to a single user in the first place.
Likewise, this breach makes clear that this information is not encrypted within these databases by default, and does not require separate access to an encryption key to unlock a someone’s file or otherwise access their data. That should be the case given the highly sensitive nature of this information. It’s also fair to ask why OPM and other federal agencies with sensitive information aren’t investing resources in encryption concepts that hold the promise of making databases more secure.
In 2009, IBM researcher Craig Gentry developed the first functioning form of homomorphic encryption – a kind of encryption that allows someone to query encrypted information for a specific piece of data without that data being decrypted and putting that information at risk of exposure. Mr. Gentry’s work is ongoing, and there are still some implementation challenges to overcome, but his approach is extremely promising and it should be a key area of focus for both government and private sector efforts to secure databases containing personal information.
In the meantime, the federal government should avoid implementing ill‐conceived “information sharing” surveillance schemes like CISA, cease‐and‐desist its efforts to undermine public key encryption, and terminate existing mass surveillance programs that accumulate more personal information on government IT systems that have proven time and again to be insecure and that have done almost nothing to protect us from terrorist threats.