Commentary

OPM, CISA, and the Cybersecurity Oxymoron

In Congress, bad policy ideas are like vampires: They are very hard to kill because they’re always somehow coming back from the dead. Such is the case with this year’s iteration of the Senate’s “cybersecurity information sharing” legislation, the Cybersecurity Information Sharing Act (CISA), offered by the chairman of the Senate Intelligence Committee, Sen. Richard Burr (R-NC).

Would CISA actually help prevent future cyber attacks of the kind suffered by OPM? No.

The bill has been roundly criticized by a wide range of privacy and civil liberties groups, many of whom view the legislation as a de facto surveillance bill. Even though an attempt to attach CISA to the annual National Defense Authorization Act failed last month, rumors persist on Capitol Hill that CISA will rise from the dead in July and get another shot on the Senate floor, with the recent and massive hack of the Office of Personnel Management’s databases being used to justify moving forward with the bill.

But would CISA actually help prevent future cyber attacks of the kind suffered by OPM? No.

Before I get into the details of why CISA is not the answer to our federal cybersecurity woes, a disclaimer: My wife and I are two of the millions of current or former federal employees whose data may have been compromised in the OPM hack. Indeed, it’s the second time in two years that my family has received notification from a federal agency that our personal information may have been compromised as the result of a federal data breach. Accordingly, I have far more than a passing interest in seeing the security of federal information systems dramatically improved. The problem is that if enacted, CISA would not only not stop OPM-style hacks — it might make future hacks more devastating in their impact.

When he introduced CISA earlier this year, Burr offered several claims about the bill, including that it:

  • Directs increased sharing of classified and unclassified information about cyber threats with the private sector, including declassification of intelligence as appropriate.
  • Requires the establishment of a capability (sometimes referred to as a “portal”) at the Department of Homeland Security (DHS) as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.

Burr also touted the bill’s alleged privacy protections, arguing it:

  • Does not require any private sector entity to share cyber threat information. Sharing is strictly voluntary.
  • Narrowly defines the term “cyber threat indicator” to limit the amount of information that may be shared under the Act.
  • Limits the use of cyber threat indicators to specific purposes, including the prevention of cybersecurity threats and serious crimes.
  • Requires the removal of personal information prior to the sharing of cyber threat indicators.

The problem is that as far as government-private sector information sharing is concerned, DHS’s Computer Emergency Readiness Team has been in this business for the better part of a decade. Anybody can sign up for their alerts. I get them daily. None of CISA’s proponents have explained how DHS-CERT is so deficient in its mission that yet another “information portal” needs to be created within DHS to facilitate the kind of information sharing envisaged by the bill.

Virtually as an afterthought, the bill requires a report to determine whether the federal government’s response to cyber threats is “degraded by a delay in the prompt notification by private entities of such threat or cyber attacks, theft, and breaches.” This report should be commissioned and published before any legislation calling for private sector-to-government sharing is offered and debated.

Have existing cyber info sharing arrangements proved ineffective? What has been learned from the existing multi-year DHS experience with industry? Was the Sony hack caused by a failure to share info with the government? To these questions, CISA’s supporters have no answers, but they are exactly the kind of questions that need to be answered before offering and passing still more cybersecurity legislation.

The bill does not designate a single department or agency as the organization responsible for carrying out the proposed cyber information sharing scheme it creates, and for enforcing compliance across federal agencies. The bill also does not address the National Cyber Threat Intelligence Integration Center proposed by President Obama and included in the House FY16 Intelligence Authorization bill. And there is no stated role for the US Cyber Command in the legislation.

The bill also fails to address multiple, GAO-documented federal department/agency cyber vulnerabilities over the last several years, their causes, and potential remedies. Affected agencies include DHS, the FAA, and DOD, among others.

Indeed, as cybersecurity researcher Andrea Castillo of George Mason University’s Mercatus Center recently noted, federal agencies reported nearly 68,000 “information security incidents” in FY 2014 alone. And as the FY 2014 Federal Information Security Management Act report shows, none of those incidents could be traced to a lack of information sharing.

As the recent OPM breach demonstrated, the vulnerability of federal systems is our greatest cyber Achilles’ heel — and allowing the sharing of inadequately protected personally identifying information (PII) from the private sector to the federal government will make that vulnerability worse.

The bill would require federal entities to develop methods (including technical ones) to sanitize PII except data related to an individual involved in a cyber threat. Who validates these techniques? Who validates data destruction and removal? The bill does not say.

The bill requires an audit of the retention, use, and dissemination of cyber threat indicators from the private sector to the federal government, but the kind of audit, the entity to conduct it, and the periodicity and classification of said audit are not outlined in the bill.

Under CISA, information sharing would be allowed via email, Internet web form, or a real time automated process. The bill does not stipulate that such sharing be done via encrypted email or through implementation of established and proven internet encryption protocols, and any unencrypted PII will inherently be vulnerable to interception by malicious hackers or hostile intelligence services.

CISA would mandate automated cyber threat sharing. How will PII sharing be validated for appropriateness in an automated environment? Does such a technological capability currently exist for automated sharing? Does this amount to the imposition of an unfunded government mandate on industry? The bill is silent on these questions.

The bill includes several potential legislative loopholes that would allow governments at multiple levels to sit on known or suspected cyber vulnerabilities. Two examples include making cyber threat indicators shared with state or local law enforcement agencies exempt from FOIA and tasking federal entities with determining whether cyber threat indicators are properly classified, including those provided by the private sector to the government. Hiding vulnerabilities discovered in Microsoft Office or Firefox behind a wall of classification is not protecting the public, but as written the bill would allow the federal government to do exactly that.

The bill waives no privilege or protection available to the federal government. Thus, the bill would allow the government to assert the “state secrets” privilege to protect cyber vulnerabilities discovered by industry and passed to the federal government, even if keeping that information secret increased the risk of cyber attacks by hackers on the general public.

With respect to information sharing, protections for civil liberties and privacy, and reporting, the bill utilizes a guideline system that does not appear to require publication and allow for public input via the Federal Register and the usual federal regulatory process.

And if all of those problems with CISA aren’t enough, there’s one more that should give even cybersecurity “hawks” pause.

CISA would permit the Secretary of Defense to respond to cyber attacks but places no limits on scope or duration. Moreover, the bill does not explicitly ban the use of cyber threat indicators or information derived therefrom for being used in offensive cyber operations by the federal government.

The US response to the alleged North Korean hack of Sony set a precedent for using federal cyber resources to respond to a cyber attack on a private, multinational corporation. As a matter of national policy, do we want to treat state-sponsored offensive cyber attacks as not requiring the kind of public debate over an authorization for the use of military force that we would have with an actual physical attack on another country? Do we want to treat our cyber operations — whether defensive or offensive — as covert actions not requiring congressional approval? CISA would provide new powers in this area without addressing the larger policy implications of doing so. That’s a recipe for trouble.

When you to examine all the problems CISA would create while ignoring real federal cyber vulnerabilities that need fixing, it’s hard not to come away with the belief that the bill is a political exercise, rather than a serious effort to prevent more government data breaches.

Patrick G. Eddington was senior policy advisor to Rep. Rush Holt for over 10 years. He is currently a Policy Analyst in Homeland Security and Civil Liberties at the Cato Institute.