In the wake of the OPM hack, Congress is preparing to do something!!! Unfortunately, that “something” will be to pass the Cyber Information Sharing Act, which not only wouldn’t have helped prevent the OPM hack, but comes with its own problems.
To understand why it is such a bad idea to pass CISA just to appear to be doing something in response to OPM, compare this table from this year’s Federal Information Security Management report with the list of agencies that will automatically get the data turned over to the Federal government if CISA passes.
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National Intelligence.
So not only will information automatically go to DOJ, DHS, and DOD — all of which fulfill the information security measures reviewed by Office of Management and Budget — but it would also go to Department of Energy, which scores just a few points better than OPM, Department of Commerce, which was improving but lost some IT people and so couldn’t be graded last year, and Department of Treasury, which scores worse than OPM.
Which is just one of the reasons why CISA is a stupid idea.
Some folks have put together this really cool tool that will help you fax the Senate (a tool they might understand) so you can explain how dumb passing CISA would be. Try it!