Thursday01 December 2022

CISA passes the Senate, opens the door to more abuse and fails to address security

Reading time is around minutes.

Cybersecurity is a fairly common buzz word used in Washington these days. It is tossed around to scare people that are ignorant of the way computer systems work so that legislation that is exceptionally pro-corporate friendly and anti-consumer can be pushed through. The latest of these is the Cybersecurity Information Sharing Act. This handy little bit of law just passed through the US senate on the 28th (74 to 21) and allow corporations to share customer data with the US government and other companies without any consequences for doing so. This effectively removes any recourse customers or users have about the sharing of their personal information.

Now to those that would say, so what. This means that if you use ANY online or offline service that collects data about you, it can be shared to ANYONE without your permission. Privacy and data usage policies would no longer matter. They can pass it around under the blanket of cybersecurity. You have no legal recourse on this as they would be protected by law. There would be no need for warrants, or for any other procedure to gain access to your personal information. It is a massive hit in the war for personal privacy.

What makes this even more of a farce are the claims that this bill will help protect systems through this sharing process. They further claim that businesses do not want to share this information out of fear that privacy groups will go after them. To put an end to that claim, there is already an effort to share information about breaches and vectors used in attacks. These are being done though groups that are not part of the government and have never been something that privacy advocates have wanted to stop. If anything privacy advocates want corporations (and the government) to improve their security and stop the breaches.

Exposing the methods used in an attack to help others avoid them does not require sharing customer data. You can share the exploit, IP addresses used and even the method of lateral movement all without sharing a single bit of customer data. This is all part of the “threat indicators” that the bill is supposed to be about. Threat indicators do not need to, nor should they, include any personally identifying information: to claim otherwise is a lie, pure and simple.

This bill is nothing more than a way to allow open sharing of personal information without any fear. It creates a massive backdoor intelligence gathering option for the NSA, FBI and others. There is no need to follow due process now, just ask and companies will hand it over. The proof of this was the rejection of a review policy that would force companies to remove personally identifying information from the data submitted. The new bill also blocks many FOI (Freedom of Information) request about the type and amount of data shared.

Instead of the blatant PII sharing how about we support companies that are already working to share threat indicators and indications of compromise that are out there. This type of sharing is much more productive and allows for more uptake by corporations than involving the Department of Homeland Security, the NSA or the FBI. After all the last time I checked the gateways, flow monitors and vulnerability scanners were not getting updates from DHS, but from much more open sources.

Let’s hope this one does not get past the next step or things could get much uglier out there on the net when it comes to protecting personal data.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.