Earlier this week, the White House sought to ease privacy concerns related to the Senate’s recent passage of the Cybersecurity Information Sharing Act (CISA). An official said the bill has a ”number of very key privacy provisions and use of limitations on how that cybersecurity information can be used,” adding that the administration would push for further privacy protections.
Despite these assurances, there’s reason to be concerned that CISA will sacrifice Americans’ privacy—and it may not even do much to increase online security.
In the wake of massive hacks on Sony and government computers, it’s clear the US needs to do more to ward off cyberattacks. CISA aims to reduce online attacks by encouraging companies to share more information about threats with federal agencies. The idea is that the federal government will then analyze emerging threats and share intelligence with at-risk companies.
Yet the bill faces vehement opposition from leading tech companies and privacy advocates. Apple, Twitter, LinkedIn, Microsoft, Google, Dropbox, Salesforce and others say that they already share lots of information around the industry, so they don’t need the government’s help.
Meanwhile, privacy advocates argue that the bill works so hard to encourage companies to share information with the government that it cuts corners on privacy, oversight and legal accountability. One major concern is that when companies share information on threats—such as an email that was part of a phishing attack or a file infected with malware—those files could contain customers’ personal data. Normally, the government would have to go to court to get a warrant to access this kind of private information. But under the Senate bill, the companies would be absolved of any liability for sharing this private information with law enforcement agencies.
There’s no doubt Congress has a tough job in this field. We’re still in the early stages of understanding how best to combat cybersecurity threats. But creating an end-run around existing privacy protections isn’t worth it. That’s particularly true if there’s not much benefit—so it’s worth asking how CISA’s approach to cybersecurity compares to proven security strategies in other arenas.
Credit-card fraud, for example, causes tens of billions of dollars in losses every year. We manage this risk in two ways. First, federal regulations limit the losses that consumers will have to bear if thieves get ahold of their information. Second, because credit-card companies don’t want to get stuck with massive bills, they deploy elaborate technological wizardry to comb through billions of transactions to detect fraud almost instantaneously. When you get a phone call at home in Indiana asking whether you just took out a cash advance at a Las Vegas casino, anti-fraud systems are at work.
Now imagine that all suspicious transactions were routed through the Department of the Treasury or the Comptroller of the Currency. We would probably wouldn’t want to rely on the feds to make these kinds of fraud assessments. The government will not be as agile or sophisticated in deploying new technology as banks that have billions of dollars in potential losses to guard against.
Nor should there be much enthusiasm for the idea that federal agencies would be allowed to see the details of our private finances. Would those financial details be shared with the IRS or immigration authorities? Or perhaps with the FBI to further the investigation of a completely unrelated crime?
Americans have always resisted the idea of an all-knowing government with centralized visibility into citizen’s lives. But CISA proposes just this kind of centralized approach to risk management.
The bill also empowers companies to launch their own defensive measures against cyber attackers. For example, companies could create troves of fake data to lure adversaries into wasting their energy trying to break into useless targets.
But apply the same logic to the way we manage speeding in residential neighborhoods. Can you imagine if we empowered private citizens to erect their own speed bumps on the road? Suppose those speed bumps are poorly designed, and a driver whose car gets damaged jumps out and starts a fight with the neighbors who installed them. In the same way, these defensive cyber measures could accidentally be directed at a benign target. Or suppose the poorly-designed speed bump causes an accident in which the speeding truck dumps toxic cargo. We have very little experience with the escalation patterns that defensive measures might engender.
Perhaps most alarmingly, the bill waives privacy and wiretapping laws to encourage companies to monitor their own networks. Personal data will inevitably be mixed in with threat information that companies share with the government.
It would be nice to believe that a well-meaning company would work hard to avoid turning over personal data to the government. But that fact is that the bill excuses companies from liability for violating privacy laws except in the most extreme cases. So the incentives are stacked against privacy.
Moreover, under CISA, we will have sharply limited the independent judicial oversight that has been so important to protecting privacy. At a time when there is growing distrust of how both companies and governments handle personal data, this bill is a big step in the wrong direction.
As Congress works to finalize CISA, it would be a mistake to feel that this approach is the only option to protect our security. The Federal Trade Commission is becoming increasingly active in requiring that companies follow industry standard security measures when holding consumers’ personal data. The threat of fines or lawsuits can also encourage companies to follow reasonable security practices. And there are numerous federal agencies that already have legal authority to regulate companies in our most vulnerable sectors, including banks, health, nuclear power and the electric grid.
We have a lot of work to do in order to make American society more resistant to cyber threats. But it may be a mistake to believe that government agencies will be better at spotting attacks than Amazon, MasterCard or Google. Let’s not put our faith in overly-centralized solutions that compromise our privacy.
We welcome your ideas at firstname.lastname@example.org.