The Financial Services Roundtable Wants to Terrify You into Giving Them More Immunity

The policy discussion about the many ways that the Cyber Information Sharing Act not only doesn’t do much to prevent the hacking of public and private networks, but in key ways will make it worse, must be making its mark. Because the Financial Services Roundtable, one of the key corporatist groups backing the bill, released this YouTube full of scary warnings but absolutely zero explanation about what CISA might do to increase cybersecurity.

Indeed, the YouTube is so context free, it doesn’t note that Susan Collins, the first person who appears in the video, has called for mandatory reporting from some sectors (notably, aviation), which is not covered in the bill and might be thwarted by the bill. Nor does it mention that the agency of the second person that appears in the video, Department of Homeland Security Secretary Jeh Johnson, has raised concerns about the complexity of the scheme set up in CISA, not to mention privacy concerns. It doesn’t note that the third person shown, House Homeland Security Chair Michael McCaul, favored an approach that more narrowly targeted the information being shared and reinforced the existing DHS structure with his committee’s bill.

Instead of that discussion … “Death, destruction, and devastation!” “Another organization being hacked!” “Costing jobs!” “One half of America affected!” “What is it going to take to do something?!?!?!”

All that fearmongering and only one mention of the phrase “information sharing,” much less a discussion of what the bill in question really does.

In August, the head of the FSR, Tim Pawlenty, was more honest about what this bill does and why his banks like it so much: because it would help to hide corporate negligence.

“If I think you’ve attacked me and I turn that information over to the government, is that going to be subject to the Freedom of Information Act?” he said, highlighting a major issue for senators concerned about privacy.

“If so, are the trial lawyers going to get it and sue my company for negligent maintenance of data or cyber defenses?” Pawlenty continued. “Are my regulators going to get it and come back and throw me in jail, or fine me or sanction me? Is the public going to have access to it? Are my competitors going to have access to it? Are they going to be able to see my proprietary cyber systems in a way that will give up competitive advantage?”

That is, the banks want to share information with the government so it can help those private corporations protect themselves (without paying for it, really, since banks do so well at dodging taxes), without any responsibility or consequences in return. “Are my regulators going to get [information about how banks got attacked] and come back and throw me in jail, or fine me, or sanction me?” the banks’ paid lobbyist worries. As the author of this bill confirmed last week, this bill will undercut regulators’ authority in case of corporate neglect.

The example of banks dodging responsibility in the past — possibly aided by a similar (albeit more rigorous) information sharing regime under the Bank Secrecy Act — provides all the evidence for how stupid this bill would be. We need corporations to start bearing liability for outright negligence. And this bill provides several ways for them to avoid such liability.

Don’t succumb to bankster inciting fear. America will be less safe if you do.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9 replies
  1. orionATL says:

    why would banksters or their shills support cisa except to acquire immunity. afterall aren’t they developing their own bullet proof – and maybe even gov proof – computer network?

  2. bmaz says:

    Immunity??
    .
    This again from private corporations???
    .
    I am getting tired of this. But Congress is ever stupid and compliant I suppose.

  3. orionATL says:

    i believe senator feinstein was the sponsor of the bill. it was reported out of the ssci (the senate select committee on intelligence) by a 14-1 vote, so it is clearly bipartisan, i.e., the stupidity is equally distributed.

    i found this summary and perspective helpful in trying to understand where cisa is coming from and where it is going:

    https://cdt.org/insight/cyber-surveillance-bill-set-to-move-to-senate-floor/

    of particular interest to me was this comment:

    [… Risks turning the cybersecurity program it creates into a back door wiretap by authorizing sharing and use of cyber threat indicators for a broad array of law enforcement purposes that have nothing to do with cybersecurity;

    Does not effectively require that personally identifiable information irrelevant to a CTI be removed before information about the threat indicator is shared;…]

    clearly, the ssci is not doing oversight work on our government security/intelligence agencies, but rather acting thru the cisa legislation as an agent to facilitate and increase the spying gov agencies are allowed to do.

  4. orionATL says:

    i would like to emphasize again that i think the target for institutional computer security enhancement should be institutional computer systems security, not personal data from those systems.

    i cannot see how systems security specialist would need to focus on individual-level data from, say, target or home-depot, when it was flawed security of access to those systems that created the security breech.

    now denial of service attacks might, might require some individual-level data, but then shouldn’t the cisa legislation be renamed to, say, denial of denial of service attacks ?

    on the surface at least, the cisa approach is using the same approach that the national security agency began to use under general alexander – collect every goddamned scrap of info on every person in the country and then sort it out later. this approach emphasizes technological facility and machine intelligence over human analytical intellingence.

  5. orionATL says:

    from the cdt precise cited at #3:

    […the bill permits companies to share any data that meet the broad definition of cyber threat indicators not just for cybersecurity purposes, but for any purpose permitted under the bill, including broad law enforcement purposes. Section 4(c)(1). Once shared, such information could be pooled and mined repeatedly over time not for cybersecurity reasons, but rather for preventing, investigating, mitigating, or prosecuting terrorism suspects, fraud and ID theft, espionage, censorship, theft of trade secrets, and a host of felonies that include running drugs with a gun, kidnapping, and car jacking. Section 5(d)(5). …]

    it’s serms clear that the cisa legislation is just a gift from the intelligence committee’s congressgoobers to the corporate subworld and the policing/security subworld in our society. the gift to the corporate world is freedom from legal responsibility and the gift to the policing world is getting private entities to do their spying for them, just as with the usafreedom act, where private communications corporations were given the task of doing the government’s spying for it.

  6. orionATL says:

    the u.s chamber is a major supporter of cisa and takes a dim view of the criticisms voiced above. they want us to understand that such criticism is based in myth:

    https://www.uschamber.com/above-the-fold/cyber-fact-and-fiction-debunking-five-cisa-myths

    of coarse it’s irrelevant to this discussion, but the u.s. chamber of commerce is at the very top of money-spending to buy politicians, spending $300-400 million dollars per election cycle. whether they can match the koch-brothers-and-other-rich-families political enterprise this coming cycle remains to be seen.

  7. orionATL says:

    summary :

    private institutions, such as major selling-to-consumers corporations, will have no legal obligation to enhance their computer system security under cisa,

    but are given legal protection for such computer security laxity as they demonstrate and, further, for distributing consumer/customer data to gov policing agencies, as well as to other corporations

    on the other hand,

    government policing/spying/ostensibly-security institutions can receive records from any of these selling-to-consumers corporations, as well as other types of corporations, with political protection from being accused of directly spying on citizens.

    it seems computer systems security is minimally enhanced, if at all.

    is cisa not a classic american political con

    benefiting the major selling-to-consumers corporations (and their monied lobbyist, the chamber of commerce), and benefiting the congress as an institution and its individual congressgoobers, but not one ordinary american citizen?

Comments are closed.