CISA a Dead Bill Reanimated- Again

Michael Policy

If you’re like me, you loathe it when a TV series brings a character who you thought was dead back to life. It rarely actually adds anything to the show and leaves it feeling a little bit cheaper. Usually in real life if you think someone is dead, they are: Elvis is dead, Tupac is dead. So I have special contempt for legislation that has been defeated several times in the past only to be resurrected the moment our guard goes down. Instances where the people have clearly spoken and simply don’t want the proposed idea to become law. The CISA (most recently CISPA) bill is in exactly that position.

Everyone Else is Doing it! (Passing Double Edged Legislation)

CISA is the Cybersecurity Information Sharing Act. Like so many other bills; C-51  from Canada, Australia’s Copyright Amendment Act of 2015, and Britain proposed ban on encryption, CISA is a piece of legislation aimed at making the internet safer in one way or the other. However, also like these bills, CISA is worded in such a way that its intended use is overshadowed by the potential for abuses of power.

In Canada the bill C-51, or formally known as the Investigative Powers for the 21st Century Act, is aimed at disrupting terrorism. This bill makes promotion of terrorism punishable by up to 5 years- even if no act is actually carried out. Online terrorist propaganda can also be censored by a court order. C-51 requires the internet service provider (ISP) to identify the individual responsible for the propaganda for the courts. The bill also allows arrests to be made without warrants. Stating that the police can arrest individuals who may carry out a terrorist attack, as opposed to the previous statute of arresting those who will carry out an attack. All of this leads to the fear that acts like hacktivism- and simply those that go against the State- will be identified and prosecuted unjustly.

The Australian bill known as the Copyright Amendment Act of 2015 is aimed at curbing online piracy. However, like the other bills this one is a double edged sword. The main purpose was to give copyrights holders in Australia a tool to obtain court orders for ISPs to block websites whose “primary purpose to facilitate infringement.” Loose wording leaves the bill open to interpretation and abuse. For instance, could dropbox.com be blocked if someone argues that it ‘facilitates’ infringement. Or could VPNs be banned for the same reason?

David Cameron from the UK is also going to propose a bill to ban or- at the very least- significantly weaken encryption in Britain. This again would be aimed at thwarting the danger of terrorism. He proposed creating back doors or all-out banning encryption minded apps and services in the UK, both of which would have a severely detrimental effect on online privacy.

The CISA Bill

This proposed bill is essentially an early warning system for cybersecurity. It creates a way in which private companies can alert the government to ‘cyberthreat indicators.’ It gives a standard for companies to say ‘we detected an attack by hackers, and this is what they were doing.’ These indicators will be earmarked for the Department of Homeland Security (DHS) but able to be shared with any federal agency.

Like the aforementioned bills, this law may intend to do good, but it has plenty of loopholes ripe for exploitation. No to mention it has been defeated four times already.

Like so many bills before it the CISA makes great use of vague wordage. Even key terms are loosely or completely undefined. For example, ‘cybersecurity threat’ and ‘cybersecurity purpose.’ The protection of cybersecurity includes ‘improper’ information modification and ensuring ‘timely’ access to information functions, that EFF says, are not necessarily tied to attacks.

The bill aims to provide companies the ability to protect themselves online. It allows private companies to employ ‘defensive measures,’ but the definition leaves the door off the hinges for interpretation: “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.”  That encompasses just about anything doesn’t it? Welcome to the thunderdome.

The bill does provide one limitation to these defensive measures , however weak, when it says the defensive measures can not “destroy, render unusable, or substantially harm.”

As usual, the government is playing fast and loose with the public’s privacy. The only mention in the bill for protecting privacy and rights is a section that says the government should make sure to “limit the impact on privacy and civil liberties” but provides no such means to do so. The guidelines to ensure that information security is yet to be written. CISA’s only provisions for these future guidelines are “protect the confidentiality of [data] containing personal information … to the greatest extent practicable.” But because these aren’t written there is no way to know how serious the government will take this responsibility- but they don’t have a good track record.

Another pitfall of the bill is what the government can do with the data obtained through CISA. Not only can the information collected be shared with any federal agency (CIA, FBI, NSA, Fish and Wildlife Service, etc etc) but it can also be used for purposes other than cybersecurity. EFF explains the bill’s minimization of the Department of Homeland Security’s role (wait, isn’t this their job if nothing else?):

[CISA] mandates DHS send information to agencies like the NSA—”in real-time and simultaneous[ly].” DHS is even barred from “delay[ing]” or “interfer[ing]” with the information, which ensures that DHS’s current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing.

As if that wasn’t enough the government can use this information for means other than cybersecurity. Secondary roles include, “the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety.” Seeing as how there are already other laws in place for these kinds of violations the inclusion of this clause is questionable. One section of CISA even allows the information to be used to prosecute violations of the Espionage Act which has recently be used as a tool against journalists and whistleblowers.

And to top it all off CISA provides for immunity: with the exclusion of the company using “gross negligence or willful misconduct.” Companies that share information with the government can not be sued by those whose information was shared- regardless of the consequences. The immunity even extends to “decisions made based on” any information “directly pertaining” to a security threat. Plus the public won’t ever know what information is being shared because it is exempted from the Freedom of Information Act (FOIA).

5th Time’s a charm?

Interestingly enough, similarly worded bills have already been introduced four times before: 2010, 2012, 2013, 2014. Some activists say that this is the worst version yet. And maybe they’re right. Even the Department of Homeland Security has said publicly that they oppose this bill for giving power to the attorney general to create a framework to share details of cyberthreats.

The funny thing about this is that many of the company’s cybersecurity is so abysmal that this bill will likely not put a dent in hacking attempts. The amount of effort that companies put into protecting customers information is laughable. Furthermore, hackers have sometimes infiltrated the network for months or years, as is the claim with Ashley Madison, before ever being discovered. And a large percentage of the time the breaches aren’t discovered until the hackers have made a threat or start releasing information! So what good will CISA do by allowing companies to share breaches of their networks if they can’t even detect those breaches?

 

You can follow your favorite VPN service @LiquidVPN

You can follow the author @FreelanceTony

Sharing is caring