By Ericka Chickowski
The recent Senate approval of the Cybersecurity Information Sharing Act (CISA) has the very industry it's supposed to help abuzz with contention. Some believe the legislation is a good first step toward improving how the public and private sector share and analyze security threat indicators, enabling both sectors to more quickly react to new cyberattack patterns. Many others, though, say the act as it stands is not only going to seriously infringe on citizens' digital privacy rights, but it won't really do much to actually improve the state of cybersecurity in the country.
HackerOne set about gathering some opinions across the industry to get a taste for what people in the know really think of CISA. Note: Unless there's a link, the below quotes are from direct statements to HackerOne.
CISA Isn't Cybersecurity
If you're looking for a solid primer on why many security people think CISA stinks, check out Rob Graham's post on the topic from way back from March - it's as relevant today as it was then.
Here's the TL;DR version.
"Private industry already has exactly the information sharing the bill proposes, and it doesn't prevent cyber attacks as CISA claims," writes Graham, owner of Errata Security. "On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance. Even if it could work and privacy could be protected, CISA creates a corrupt system for the politically connected."
A Rosy Opinion
Of course, there are those who disagree with Graham&mdas;including those who make a living selling to the federal government.
"Sharing cyber threat indicators (CTIs) is the key to stopping, and even preventing, hack attacks," says Todd Helfrich, director of federal sales. "CISA would encourage more companies to collaborate by providing liability protection for organizations sharing CTIs. It's already standard procedure in the cyber world to scrub data, so only what is necessary is shared. CISA does not extend protection to a company that knowingly shares personally identifiable information."
Privacy's Dead Anyway
"Privacy died a long time ago; we're just legalizing its death," says Rod Simmons, director of product management for BeyondTrust. "I respect and sometimes understand the approach of the 'big bad government', but they could easily obtain this information if they wanted to."
He says it remains to be seen whether CISA's actually going to help organizations share security data, though.
"The effectiveness of data sharing will likely continue to be an issue &mdas; one that is compounded by the quantity of breaches to be investigated and the complexity of the breaches that are occurring," he says.
Long-time security industry executive and analyst Christian Renaud gives two thumbs down to CISA's intent and execution.
"My short answer is that CISA does nothing to advance cyber-security and it's just security-washing a surveillance bill of private citizens without a warrant," he says.
Needs A Rewrite
"While CISA has some language in it to help protect personal information, it provides a vehicle by which the federal government can obtain a variety of information which really can violate the privacy of individuals," says Jon Heimerl, senior security strategist for Solutionary. As he explains, all the government has to do is define information to be relevant to a cybersecurity threat and it can be shared extralegally.
"In all of this, the reality is that the Senate shot down every attempt to improve the language which would protect individual privacy," he says. "Yes, they talked about many options, but they did not make it into CISA. We can only hope that rewrites for the final bill fix this problem."
We're Sharing Information! Now What?
Even if CISA does somehow improve the way the security industry shares information, that alone isn't some kind of cybersecurity magic wand, explains Jeff Schilling, CSO of Armor (formerly Firehost).
"Information sharing from CISA will bring more organizations into the security conversation that were not reached before," says Schilling. "But I think most companies still have a very low level of maturity to actually take action with the information they would get from sharing with government."
Threat Intelligence Sharing ≠ The Problem
In a thorough analysis of CISA, Ben Johnson, chief security strategist for Bit9, essentially agreed with Schilling, adding a bit more to this line of thinking.
"Threat intelligence is already being shared bountifully," he said. "It is the processing of that information, the application of that information, the operationalizing [sic] of that information, and finally the incorporation of that information into an overarching cyber strategy and risk mitigation platform that is sorely lacking. "Threat intelligence sharing is not the problem."
Which Is Scarier?
According to David Perry, technical evangelist at Cymmetria, he's never been frightened by malware. It's just something he's had to take precautions against. The loss of privacy is a different matter, he says.
"Once you have no privacy you have no civil rights. The mere existence of so much data about each of us means that in the future, analysis and judgment of us can happen beyond the reach of any laws. In this world, fair employment, fair housing, fair banking may be very hard to get," he says.
"CISA assumes that by sharing our data among multiple agencies that we are served for security purposes. Better to limit the interplay and cross reporting of such data. Of course, I could be wrong, but so could this law."
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.