The rhetorical battle lines are drawn for a late-summer “virtual” debate over cybersecurity leading into an anticipated actual debate on the Senate floor in the fall.
Senate leaders have agreed to bring up the Cybersecurity Information Sharing Act (CISA) sometime after the September debate on the Obama administration’s nuclear accord with Iran. It’s still unclear exactly when and how cyber will fit into the Senate’s jammed fall schedule.
The so-called CISA bill authorizes industry sharing of cyberthreat indicators with government, with related legal liability protection for industry. The measure is the top legislative priority on cyber for major industry groups from the financial, energy, telecom and other critical infrastructure sectors.
It has generated fierce opposition from online privacy advocates who slam the measure as a “surveillance bill.”
The industry-based Protecting America’s Cyber Networks Coalition has launched a “fact versus myth” campaign to press a weekly message in support of CISA.
The campaign is based on countering five “myths” about the cyberbill being advanced by opponents: that it would allow sharing of broad types of digital information; that it authorizes government surveillance of U.S. citizens; that it would allow companies to “hack back” against cyberattackers; that it doesn’t require companies to remove personal data from shared information; and that businesses would be “encouraged” to share with the Defense Department and National Security Agency.
The coalition put together a string of data typical of the kind of cyberthreat indicators shared between industry and government.
“The caption below isn’t a series of typos. It shows a typical example of cyberthreat information — technical and sterile data — that businesses share and receive from industry and government partners to counter cyberattacks. It contains no personal information — and that’s the point,” according to a statement from the coalition.
The box of data didn’t contain any elements that appeared to be personally identifiable information, or PII. It looked like this:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”ZBC DDoS – HTTP Header Structure withHex Byte URI seen”; flow:established,to_server; content:”Keep-Alive|3a 20|”; http_header; fast_pattern; content:!”gzip”; http_header; content:”Connection|3a 20|Keep-Alive”; http_header; nocase; pcre:”/[?&][a-f0-9]{5,6}$/U”; classtype:webapplication-attack; sid:40000006; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”ZBC DDoS – KamiKaze”;flow:established,to_server; content:”CLIENT-IP|3a 20|”; http_header; fast_pattern; content:”Via|3a 20|”; http_header;content:”X-FORWARDED-FOR|3a 20|”; http_header; classtype:web-application-attack; sid:40000007; rev:1;)
The hope, among industry supporters of the bill, is that wavering senators won’t buy into the opposition argument once they understand the debate is really about sharing technical clues, not personal information.
Last week, the coalition pressed the message that only limited types of information would be shared. This week it’s attempting to knock down the “surveillance bill” charge.
Next week the coalition will take on the charge that the bill’s language allowing companies to engage in “defensive measures” in cyberspace actually authorizes dangerous “hack backs” that could trigger cyberwar.
The online privacy community wasn’t much impressed by the business side’s campaign.
“I saw the post, I didn’t find it very convincing,” said Nathan White of the digital rights group Access. “We’re feeling confident that we’ve been able to slow things down and change the narrative around the bill. We’re currently exploring ways to help facilitate lawmakers hearing from their constituents, but people are fired up. If lawmakers talk to their constituents they’ll hear opposition. And if they look at the bill, they’ll see it doesn’t deliver on its promises.”
An industry source expressed frustration that the bill’s foes won’t discuss the problems the bill is trying to address, namely that it’s impossible to create a true picture of the cyberthreat environment without more robust sharing — and that such sharing simply won’t happen without legal protection for the business side.
“They aren’t quite capturing the nuances of our argument,” the industry source said. “They don’t even want to talk about our needs — and we’re always willing to talk about how to improve the privacy protections.”
The source added: “We need to remember who the bad guys are, this is aimed at overseas bad actors.”
The anti-CISA argument was most fully expressed in a floor speech delivered by Sen. Ron Wyden, D-Ore., as the Senate raced toward adjournment on Aug. 5.
“When I say personal information, I’m talking about the contents of emails, financial information, basically any data at all that is stored electronically,” Wyden said. “CISA, as the bill is called, would allow private companies to share large volumes of their customers’ personal information with the government after only a cursory review. And colleagues who want to look at that provision ought to take a look at page 16 of the bill. And we were told repeatedly that this legislation was voluntary.”
Not so, Wyden said. “While the fact is it is voluntary for the companies. But for the citizens of Pennsylvania, the citizens of Oregon, those across this country, it’s not voluntary. The people of Pennsylvania won’t be asked first whether they want their information sent to the government. Oregonians won’t have the chance to say whether or not they want that information sent. For them, this legislation is mandatory.”
Wyden offered an example: “Imagine that a health insurance company finds out that millions of its customers’ records have been stolen. If that company has any evidence about who the hackers were, or how they stole this information, of course it makes sense to share that information with the government.”
Wyden wrapped up with a final swipe at the bill — that after all the hoopla, it simply wouldn’t work.
“And I’m going to close by talking about the question of effectiveness,” he said. “Because I think we all understand that we are facing very real cyberthreats. I’m of the view this bill in its present form would do little of anything to stop large sophisticated cyberattacks like the Office of Personnel Management hack.”
And, Wyden said, “I don’t think senators ought to take just my word for it here. In April, 65 technologists and cybersecurity professionals expressed their opposition to the bill in a letter to Chairman [Richard] Burr and Vice-Chairman [Dianne] Feinstein. Referring to the bill and similar bills they wrote and I quote ‘We appreciate your interest in making our networks more secure. But the legislation proposed does not materially further that goal and at the same time it puts our user’s privacy at risk.’ ”
Much of the business community and the people who operate the nation’s critical infrastructure strongly disagree with the technologists’ assertion, but they will have to battle it out on the Senate floor — and in the court of public opinion — this fall.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
