July 10, 2014
The CISA Effect on Privacy
Written by
David Kennedy
Program Assessment & Compliance
For folks that haven't learned much about the Cyber Information Sharing Act (CISA) is a bill that just made it through the Senate Select Committee which will make its way to the Senate for approval. This bill is intended to create an open platform for sharing information between the government in the event attacks are occurring. This bill has the smell of the Cyber Intelligence Sharing and Protection Act (CISPA) that was introduced last year and pulled due to heavy negative rallying from practically the entire Internet (cough GoDaddy). The purpose is to allow an avenue to provide United States companies the ability to provide data to the government on attacks and theft of data without the ramifications of possible lawsuits for sharing the data. While the vast majority of the United States seems to be moving towards more privacy and restricting what the NSA can specifically do - this bill seems to do the exact opposite. For the past several years, the industry both from an IT and security standpoint has been pushing cloud services for ease of use, better reliability, and scalability. With this new bill, there's some major implications around the protection around that information and what it means to a company utilizing these services.
With the bill, third parties can share information with the government without fear of a lawsuit for sharing the data. As an example, a number of companies use the Amazon AWS cloud as a primary means for delivering services and day to day business. Same goes for services such as Office 365, Google Mail for Business, and other third party services. Under the new bill, these companies can share the data to the government unfiltered without ramifications for the types of data. There's a discussion between security professionals in the industry now that if you use unencrypted data in the cloud, you are asking for it anyways. I would argue that even if the information is encrypted in the cloud, giving the NSA access to this data - probably wouldn't be trivial to get it in an unencrypted format.
Why is this such a big deal? In order to request information previously, it would require a subpoena or some other form of legislature in order to provide this data. This opens the flood gates to side-step that in the efforts of information sharing. While this is the absolute worse case scenario and I'm a huge advocate on sharing information between multiple organizations in order to better protect - this is scary stuff. Looking through the general information on the bill, it looks even if you have baked in contractual obligations with third parties to disclose in the event of information sharing - this would be negated and could share a businesses public data without any form of disclosure.
Let's be clear. Working together to share information and collaborate on what we are seeing is noble and something we need to do better at. This bill on the other hand raises some serious concerns with protecting the exact information it's aimed at securing.
I think this is something we should seriously be concerned with from an industry standpoint but most importantly a privacy perspective. The cloud has always been a point of contention in the security field due to housing sensitive data in third party infrastructures - this probably solidifies most of our fears and expands on it ten fold.
This article was written by David Kennedy, CEO of TrustedSec.