Time to Get VERY Concerned about CISA Gutting Governmental Leverage on Corporations over Cyber

Back in August, I wrote a post wondering whether the following clause in the Cyber Intelligence Sharing Act would provide a way for corporations to avoid any government action punishing them for their negligence on cybersecurity.

(D) FEDERAL REGULATORY AUTHORITY.—

(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.

(ii) EXCEPTIONS.—

(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.

(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.

My worry was that a serial hacking target like Wyndam — or even just a company with sloppy security like GM — could immediately share information on a hack (or even a vulnerability identified by security researcher that technically violated a company’s DMCA rights) with the government, and in doing so avoid any further action from the government on that point.

Something similar appears to happen with the Bank Secrecy Act: banks share information and therefore limit their liability for money laundering or supporting terrorists or what have you.

If my concern is correct, it would provide companies that chose not to fix vulnerabilities a way to avoid NHTSA required recalls or FTC lawsuits.

At Computers Freedom and Privacy, I asked the author of CISA, Senate Intelligence staffer Josh Alexander, about the clause.

His only response was to point to this language  permitting disclosure of information.

(a) Otherwise Lawful Disclosures.—Nothing in this Act shall be construed—

(1) to limit or prohibit otherwise lawful disclosures of communications, records, or other information, including reporting of known or suspected criminal activity, by an entity to any other entity or the Federal Government under this Act; or

(2) to limit or prohibit otherwise lawful use of such disclosures by any Federal entity, even when such otherwise lawful disclosures duplicate or replicate disclosures made under this Act.

He emphasized that the government could still respond to unlawful activity. But bad security is not unlawful.

In other words, he had no response to my concerns. Which leads me to believe CISA guts the government’s ability to punish companies that don’t fix their security issues.

I guess that explains why the Chamber of Commerce is so excited about the bill.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

12 replies
  1. bloopie2 says:

    It’s just getting better: “Hackers use radio waves to silently control Apple’s Siri, Android’s Google Now”. (today’s news)

  2. bloopie2 says:

    Aww, come on, when’s the last time the Government ever took action against a company for having bad data security? All this law does is codify existing policy.

    • emptywheel says:

      Read my earlier post. FTC just recently won a court decision allowing it to sue companies that expose their customers. Thus may well undercut FTC’s ability to do that.

      • P J Evans says:

        Makes sense. Consumers – in the usual sense, meaning people who buy stuff – shouldn’t have protections. That’s only for government and its favored corporate buddies.

  3. DannyD says:

    Due to the way that the Computer Fraud and Abuse Act is being used as a cudgel against defendants, I’m suspicious that the real purpose here is to open up a new avenue of prosecution for corporations that don’t share.

    Consider the use case where Mega Corp doesn’t want to share all it’s email traffic without proper warrants. Now, all the DOJ needs to do is find some ‘expert’ to testify that some flaw in Mega Corps servers is criminally sloppy, and now the DOJ has a reason to open a complaint, force Mega Corp to defend itself, and through discovery, get all Mega Corps security measures. It’s just too easy to overuse these types of provisions, the DOJ has unlimited resources. A small Corp would be forced to settle, and even a big Corp would get blowback from the shareholders after 2-3 years of protracted battle with the DOJ.

    It fits with their overall strategy too, they see that it would be unconstitutional to force Mega Corp to roll, but the threat of ongoing litigation and the promise of immunity if you do is a mighty big incentive.

  4. orionATL says:

    who is staffer josh alexander, where was he before his ssci job, who are his political patrons and associates?

    it seems very odd, and increasingly unbalanced, that our gov’s pervasive domestic spying is not enough to satisfy its asserted needs. now corporations are being enticed/threatened to become part of gov’s spying efforts.

    why would this be necessary?

  5. earlofhuntingdon says:

    A free pass for bad digital security? What’s not to like? Ask Experian.

    It’s what all those lobbying expenses are meant to pay for. Pity about the people whose private information is used, disclosed and looted without restriction or consequence. I can only hope the EU puts muscle behind it’s top court’s decision that the US is no longer a “safe haven”. That’s legal jargon for a country to which EU person’s data can be sent without special protections, because its laws already provide protection similar to that provided under EU rules. It’s obvious the US has built a corporate friendly regime that offers no practical protections at all for such information – and its commercialization.

  6. orionATL says:

    https://www.legistorm.com/person/Joshua_Andrew_Galiard_Alexander/215250.html

    http://www.nytimes.com/2014/03/30/fashion/weddings/jennifer-solomon-joshua-alexander.html?_r=0

    https://www.legistorm.com/office/Senate_Select_Committee_on_Intelligence/687/192.html

    http://www.publicpower.org/Events/Landing.cfm?ItemNumber=41856

    freebie – it’s off-topic for, but electric grid security is supremely important. worry though (opposite of not-to-worry though) that there has been no public discussion of the issue or of proposed remedies.

    + devin nunes of the house with a shit-eating grin – but the topics are important and will add urely receive the chairman’s most serious attention: http://intelligence.house.gov/

    not much i see to complain about senate staffer joshua a.g. alexander unless you consider it a problem to put a 31-year-old staffer in charge of a major change in gov policy relating to corporate law. this whole matter kinda reminds me of the unlegislated, covert, doj decisions about not attacking flagrant, wide-spread fraud in major banks in 2004-2007.

    • P J Evans says:

      The electric grid might be even more subject to hacking than the gas pipeline networks, which have things like remote-controlled and automatically-acting valves.

      • orionATL says:

        that’s an intetesting comparison.

        i think we had a fairly recent example reported here, one of the native white boy nut cases, who attempted to damage a power line.

        they are probably better built than i would ever know, but electricity flow to ground at the base of a transmission tower is incredibly dangerous. maybe “it is hoped” that malfactors will get fried before they can do too much damage. :)

  7. karnak12 says:

    The only saving grace for big companies that get hacked and are able to escape any meaningful litigation from the US Gov. or otherwise, is that all the company officers have their personal information in that data dump. That means that they are the one’s with more to lose than any of the little people in their database. So when they allow their systems to get sloppy with their security their necks are the ones that are on the line.
    With all the hacking that’s going on these days you’ve got to ask yourself if they thought of this when they allowed the low bidder to take the contract.

  8. orionATL says:

    this cisa thing makes no sense. how does gov protect computer systems, or is it computer system data/documents content, by having corporations turn over records?

    it seems at least as likely cisa represents a disguised intent by ssci or its masters in the executive branch.

    perhaps the cisa is really the doj-u.s.gov equivalent of the chinese hacking of opm, etc., but legal don’t you know, no phishing required :)

    it would be non-spying spying – using computer security as a foil to continue spying on individuals without all the bad press, rather like the prior doj use of revulsion generated by child-pornography as the foil for introducing spying and other constitutionally questionable police/legal tactics.

    but suppose it were on its face a sincere effort at protection. so you have millions upon millions of documents. what themn? how could this approach be effective? what will be done with these records? where will they be stored? who, specifically wii analyze them? fbi? contractors? nsa?

    i wonder if cisa represents a richard burr angle on this legislation/process or whether most of ssci are agreeable with whatever is its intent?

    all-in-all a baffling, suspicious effort at computer security.

Comments are closed.