As Congress moves to reconcile each chamber’s version of the Cybersecurity Information Sharing Act (CISA), civil liberties organizations and technology companies alike continue to pan the bill for threatening consumer privacy and covertly expanding government surveillance programs. Critics argue that strong cybersecurity should not come at the expense of diminished privacy — but this is a false dichotomy. CISA is unlikely to meaningfully improve cybersecurity because the bill addresses the wrong issues.
CISA is built on the premise that cyberthreat information is insufficiently shared among public and private entities. If organizations can quickly report new malware or intrusion techniques to other groups, the thinking goes, then those groups can proactively defend themselves against such threats and limit the overall risk of attack. CISA supporters believe that too few companies are willing to share information because they fear lawsuits from customers whose data may be improperly shared.
CISA aims to encourage such reporting by extending legal immunity to corporations that decide to share information with federal offices like the Department of Homeland Security or the National Security Agency. Their customers will be legally prohibited from suing such companies — even if they accidentally share too much data — as long as they are acting in good faith. With this layer of legal accountability out of the way, CISA supporters believe that federal officials will be better positioned to notify organizations about emerging cyberthreats so they have enough time to build up defenses and thwart attacks.
This might sound good in theory, but CISA’s grounding assumptions are flawed.
For starters, “insufficient information-sharing” isn’t the big problem that CISA supporters believe it to be. Numerous public and private programs already exist to increase reporting and collaboration among organizations. My Mercatus Center colleague, Eli Dourado, and I found at least 20 separate offices with core missions to improve public-private cybersecurity information-sharing within the federal government alone.
CISA supporters rarely, if ever, acknowledge this existing hodgepodge of federal information-sharing initiatives, much less outline why this particular attempt would be qualitatively more successful than its predecessors. CISA merely adds to this bureaucratic thicket while removing a critical layer of legal resource for normal Americans to protect their personal data.
What’s more, the bill could counterproductively encourage companies to share useless cyberthreat indicators with federal agencies for the sole purpose of extracting legal immunities. Such opportunistic risk-hedging would do nothing to improve cybersecurity, but it could provide unscrupulous corporations with a way to retroactively violate their own terms of service agreements while leaving little recourse for jilted customers.
Also noteworthy is the federal government’s poor track record in actionably sharing information even among its own offices. The Government Accountability Office finds that agencies routinely struggle to efficiently report and respond to emerging cyberthreats because of overlapping bureaucratic jurisdictions and inconsistent compliance with established procedures. If federal agencies cannot even effectively share information among themselves, we should not expect them to suddenly become capable of notifying the entire nation of cyberthreats in time.
We should not expect the government to be a capable steward of the massive data sets that would be extracted under CISA. The number of total reported federal information security failures has increased by an astounding 1,169 percent since fiscal 2006. Some of the agencies that would be most empowered under CISA, such as the Department of Homeland Security, the Department of Defense and the Department of Justice, reported thousands of such breaches last year alone.
Their leaders don’t fare much better. CIA Director John Brennan just made headlines after his AOL email account was hacked by a group of self-described “teen stoners.” CISA could ironically end up encouraging more attacks against notoriously poorly defended federal systems. The huge data sets that CISA would allow agencies to collect could prove irresistible to hackers seeking profit or bragging rights. Government officials must first get their own houses in order before expanding their authority over the nation’s cybersecurity.
In many ways, CISA is a cybersecurity bill that only a politician could love. Information security professionals are perplexed that “information-sharing” has become such a focal point in our long-overdue cybersecurity policy discussion. Most cybersecurity experts dispute that CISA-style legislation will significantly reduce security breaches.
In addition to the aforementioned problems, cybersecurity professionals point out that attempting to erect a manual threat detection and reporting system for an entire country is inefficient, backward-looking, and does little to encourage organizations to proactively defend their systems. Plus, CISA distracts from the risks that most organizations actually face. Most companies are more likely to suffer a breach due to an employee carelessly clicking on a malicious link in an email than being targeted by a sophisticated new external attack that they haven’t been warned about in time.
There is a lot the government could do to improve cybersecurity outcomes. We could increase security training and education, support strong encryption techniques, and remove disincentives for security researchers to test and report vulnerabilities to organizations. But instead, for some strange reason, policymakers choose to plow ahead with the bizarre shibboleth of “information-sharing.” If Congress is serious about cybersecurity, it should turn instead to proven solutions that the security community recommends.