Several Supporters of CISA Admit Its Inadequacy

In recent days, there have been reports that the same (presumed Chinese) hackers who stole vast amounts of data from the Office of Personnel Management have also hacked at least United Airlines and American. (Presuming the Chinese attribution is correct — and I believe it — I would be surprised if Chinese hackers hadn’t also tried to hack Delta, given that it has a huge footprint in Asia, including China; if that’s right and Delta managed to withstand the attack, we should find out how and why.)

Those hacks — and the presumption that the Chinese are stealing the data to flesh out their already detailed map of the activities of US intelligence personnel — have led a bunch of Cyber Information Sharing Act supporters (Susan Collins and Barb Mikulski have already voted for it, and Bill Nelson almost surely will, because he loves surveillance) to admit its inadequacy.

In recent months, hackers have infiltrated the U.S. air traffic control system, forced airlines to ground planes and potentially stolen detailed travel records on millions of people.

Yet the industry lacks strict requirements to report these cyber incidents, or even adhere to specific cybersecurity standards.

“There should be a requirement for immediate reporting to the federal government,” Sen. Susan Collins (R-Maine), who chairs the Appropriations subcommittee that oversees the Federal Aviation Administration (FAA), told The Hill.

“We need to address that,” agreed Sen. Bill Nelson (D-Fla.), the top Democrat on the Senate Commerce Committee.

[snip]

“We need a two-way exchange of information so that when a threat is identified by the private sector, it’s shared with the government, and vice versa,” Collins added. “That’s the only way that we have any hope of stopping further breaches.”

[snip]

That’s why, Nelson said, the airline industry needs mandatory, immediate reporting requirements.

“All the more reason for a cybersecurity bill,” he said.

But for years, Congress has been unsuccessful in its efforts.

Sen. Barbara Mikulski (D-Md.), the Senate Appropriations Committee’s top Democrat, tried three years ago to move a cyber bill that would have included rigid breach reporting requirements for critical infrastructure sectors, including aviation.

“We were blocked,” she told The Hill recently. “So it’s time for not looking at an individual bill, but one that’s overall for critical infrastructure.”

So now we have some Senators calling for heightened cybersecurity standards for cars, and different, hawkish Senators calling for heightened cybersecurity sharing (though they don’t mention security standards) for airlines. Bank regulators are already demanding higher standards from them.

And someday soon someone will start talking about mandating response time for operating system fixes, given the problems with Android updates.

Maybe the recognition that one after another industry requires not immunity, but an approach to cybersecurity that actually requires some minimal actions from the companies in question, ought to lead Congress to halt before passing CISA and giving corporations immunity and think more seriously about what a serious approach to our cyber problems might look like.

That said, note that the hawks in this story are still adopting what is probably an approach of limited use here. Indeed, the story is notable in that it cites a cyber contractor, JAS Global Advisors Jeff Schmidt, actually raising questions whether mandated info-sharing (with the government, not the public) would be all that effective.

If OPM has finally demonstrated the real impact of cyberattacks, then maybe it’s time to have a real discussion of what might help to keep this country safe — because simply immunizing corporations is not going to do it.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

6 replies
  1. Romancing the Loan says:

    The combo of airlines, OPM, and (I saw somewhere else) one company that handles transactions for hotel reservations could easily be put together to find identities of US’s foreign spies – track back to each past security breach and find out who the innocent-seeming Americans were who traveled there around that time, then check for them in the OPM records.

    Between this and Snowden, the intelligence community has lost an enormous amount of ground, and I’m not sure closing the barn door post-horse is going to make much of a difference.

  2. jerryy says:

    .
    Imagine if you went into a bank and instead of it having a vault/safe where the bankers keep your money, they just stacked it up in a pile in one of the corners.
    .
    Suppose that immunity for the bankers was all the protection you get from someone stealing your money.
    .

  3. scribe says:

    It would be a lot easier and simpler if we simply imposed criminal penalties on the officers and directors of companies which failed to secure the personally identifiable information in data held by their companies, and removed “I had subordinates take care of it and they failed” as a defense.

    But that will never happen.

  4. Bitter Angry Drunk says:

    The problem is Congress and government agencies and, as we’re seeing, much of “private” industry, don’t know shite about maintaining and securing computer networks. Of course what they do know is ass-covering. Hence the immunity granting…

  5. bloopie2 says:

    Oh come now, surely you trust the government to do right, I mean, they’re so smart they know if you’re going to be a bad girl even before you know that! (“The Obama administration’s no-fly lists and broader watchlisting system is based on predicting crimes rather than relying on records of demonstrated offenses, the government has been forced to admit in court.”)
    .
    http://www.theguardian.com/us-news/2015/aug/10/us-no-fly-list-predictive-assessments

  6. Ed Walker says:

    I am a subscriber to The American Banker daily scan, and as a result get a bunch of other odds and ends. One thing that banks and other financial groups are looking at is blockchain technology. I wonder if that might be an approach to actual security. The general idea is that cracking blockchains is expensive. Here’s a recent piece on the uses of the idea: http://www.latimes.com/business/la-fi-cutting-edge-blockchain-20150809-story.html and here’s a nontechnical discussion: http://recode.net/2015/07/05/forget-bitcoin-what-is-the-blockchain-and-why-should-you-care/. Here’s something more complex: http://www.ft.com/intl/cms/s/0/764aed26-198a-11e5-8201-cbdb03d71480.html#axzz3iRh5yLEo

Comments are closed.