By Bill Gertz
The Senate last week voted to move forward with controversial legislation that supporters say would improve cyber threat information sharing between the government and industry but that critics say would undermine Americans’ electronic privacy.
The Cyber Security Information Sharing Act, produced by the Senate Intelligence Committee, was debated Thursday prior to a vote on cloture. The Senate will take up numerous amendments on Oct. 26 that are being offered by proponents and opponents.
A careful reading of the legislation reveals provisions that are likely to be viewed by U.S. intelligence and law enforcement agencies as giving them more power to gather and keep secret threat data from the private sector where most of the current information on cyber attackers resides.
Given the prevailing government bureaucratic culture of information hoarding – not sharing – the likelihood the measure will work as intended appears small.
Government threat information, cyber or otherwise, currently is dominated by two agencies – the FBI and National Security Agency. Both have poor records for sharing secrets within government or with cleared contractors.
The problem for both FBI and CIA is deeply ingrained and has been made worse since the WikiLeaks disaster – based on post-9/11 calls for greater counterterrorism information sharing – and the ongoing serious damage caused by NSA contractor Edward Snowden’s theft and disclosure of some of NSA’s most closely-guarded sources and methods of intelligence-gathering.
The premier cyber security agency of the U.S. government unquestionably remains NSA, whose cyber spies and hackers have been stealing digital secrets in earnest since the 1980s.
Yet, Snowden and his facilitators have created a false conspiracy theory-laced narrative that NSA wants only to spy on innocents as part of a tin-foil hat plan to control the world.
Because many in Congress have bought into the Snowden narrative, both Democrats and Republicans, NSA is barely mentioned in the bill, but has been front and center in the debate, especially among critics of the legislation.
Government officials repeated have sought new legislation in recent months following large-scale cyber attacks on both government and private networks.
The Intelligence Committee in its report on the bill stated that staff discussions with “hundreds” of senior government officials and members of the private sector that there is a need for laws that would increase information sharing about cyber threats.
The bill seeks a voluntary system of sharing cyber threat data that is then supposed to improve cooperation and collaboration and ultimately lead to improved cyber security technology and processes.
The goal is an automated system that would exchange technical threat data in real time or “machine speed” and ultimately counter cyber threats.
The bill vaguely calls for intelligence and security officials to “develop and promulgate” a system for timely sharing of classified cyber threat indicators with cleared officials and contractors.
The information “may be declassified and shared at the unclassified level,” the bill states, something likely not to be followed by federal agencies who regard declassification as undermining the ability of government to tackle cyber threats.
Additionally, the cyber threat information is exempt from disclosure under the Freedom of Information Act.
The bill also limits the requirement to providing both classified and a public intelligence report on cyber threats to a single report, rather than a more valuable and recurring annual report.
Sen. Richard Burr, intelligence committee chairman, said some senators were seeking to kill the bill through amendments that would nullify the bill and undermine support for the legislation. The bill is “really our last chance,” he said Thursday.
“We have reached a very delicate balance,” said Burr (R-NC). “There have been bending and twisting and giving and taking, and we have done it not only within the Senate of the United States and within the committee, we have done it with stakeholders all around the country.”
Oregon Sen. Ron Wyden, a Democrat, is leading the opposition to the bill over what he regards as potential infringements to Americans’ privacy rights.
Noting that some U.S. technology companies are opposing the bill, Wyden said hacking and cyber threats are a serious problem but the bill lack robust privacy protections.
“I would submit millions of Americans are going … to say this isn’t a cyber security bill, this is yet another surveillance bill,” Wyden said.
Because of the anti-NSA sentiment, the legislation will give the Department of Homeland Security a leading role in the program, and DHS is widely recognized as lacking both expertise and experience in dealing with cyber threat information. DHS’ U.S. Computer Emergency Readiness Team (US-CERT.gov) provides some valuable security resources. But its skill and response level is no match for NSA’s abilities.
The litany of cyber threats and attacks were outlined last week during the Senate debate by Sen. Ron Johnson, chairman of the Homeland Security Committee.
“The cyber threat we face today is real and it is growing,” Johnson said. “Sophisticated nation-state adversaries such as China and North Korea are constantly probing American companies’ and federal agencies’ computer networks to steal valuable and sensitive data. International criminal organizations are exploiting our networks to commit financial fraud and health fraud.”
Cyber terrorists, Johnson noted, want to attack cyber-connected critical infrastructure that would ultimately threaten the American way of life.
According to Johnson, the impact of the cyber threat includes major cyber breaches against more than 20 major American companies in the past year and half; the Office of Personnel Management hack the compromised records on some 22 million federal workers; hacking at the IRS that compromised 330,000 taxpayer records; and the North Korean hack of Sony Pictures Entertainment.
“Data breaches at both [the health care provider [Anthem and JP Morgan resulted in the theft of 80 million health care subscribers’ personal data and 83 million banking customers’ personal information,” Johnson said.
At the White House foreign hackers compromised networks that revealed the president’s private schedule.
“Federal agencies are neglecting to protect Americans’ data and federal law is preventing companies from defending their networks,” Johnson said.
Arguing in favor of the legislation, Johnson said private companies are reluctant to share thereat data with the government and the data needs to be transferred rapidly. A Verizon data breach probe this year disclosed that 75 percent of cyber attacks spread within 24 hours and 40 percent proliferated within an hour.
“There is no easy solution, but there are things Congress can do to improve cyber security that might make cyber attacks more difficult,” Johnson said.
The bill would require a government-wide intrusion detection system for federal networks and calls for uniform security access rules that would have stopped earlier attacks.
The CISA appears to be yet an attempt by the U.S. government to legislate a solution to a major problem that government remains ill-suited to address.
It harkens back to Ronald Reagan’s remark during a 1986 speech when he said the nine most terrifying words in the English language are “I’m from the government and I’m here to help.”
Legislation that increases government secrecy by seeking to bring private sector companies into the cloistered world of classified information is a recipe for increased information hoarding.
A better system would be to develop information sharing mechanisms in a more informal manner as under the current system that companies voluntarily seek government assistance when they need it rather than being forced to do so.
If Congress wants to assist the private sector, legislation should be passed that would permit companies and security firms to take offensive cyber counter attacks. Current U.S. law prohibits such offensive attacks that could be taken in response to hacking and would be aimed at stealing back the information, destroying it in the information systems of foreign hackers and criminals or taking steps to destroy or undermine established foreign hackers and organizations, including foreign intelligence services.
Once it passes the Senate, the legislation must be reconciled in conference with a House version passed earlier.
Oct. 24, 2014
The post Controversial cyber threat intelligence-sharing bill: Threat to hackers or to Americans’ privacy? appeared first on Flash//CRITIC Cyber Threat News..