October 27, 2015

The U.S. Senate is preparing to vote on cybersecurity legislation that proponents say is sorely needed to better help companies and the government share information about the latest Internet threats. Critics of the bill and its many proposed amendments charge that it will do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions that are ripe for privacy abuses. What follows is a breakdown of the arguments on both sides, and a personal analysis that seeks to add some important context to the debate.

Up for consideration by the full Senate this week is the Cybersecurity Information Sharing Act (CISA), a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime. The Wall Street Journal and The Washington Post each recently published editorials in support of the bill.

Update, 6:57 p.m. ET: The Senate this afternoon passed CISA by a vote of 74-21.

Original story:

“The idea behind the legislation is simple: Let private businesses share information with each other, and with the government, to better fight an escalating and constantly evolving cyber threat,” the WSJ said in an editorial published today (paywall). “This shared data might be the footprint of hackers that the government has seen but private companies haven’t. Or it might include more advanced technology that private companies have developed as a defense.”

“Since hackers can strike fast, real-time cooperation is essential,” the WSJ continued. “A crucial provision would shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another. Democrats had long resisted this legal safe harbor at the behest of plaintiffs lawyers who view corporate victims of cyber attack as another source of plunder.”

The Post’s editorial dismisses “alarmist claims [that] have been made by privacy advocates who describe it as a ‘surveillance’ bill”:

“The notion that there is a binary choice between privacy and security is false. We need both privacy protection and cybersecurity, and the Senate legislation is one step toward breaking the logjam on security,” the Post concluded. “Sponsors have added privacy protections that would scrub out personal information before it is shared. They have made the legislation voluntary, so if companies are really concerned, they can stay away. A broad coalition of business groups, including the U.S. Chamber of Commerce, has backed the legislation, saying that cybertheft and disruption are “advancing in scope and complexity.”

But critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology (CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.

CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”

CDT warns that CISA risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity. Moreover, CDT says, CISA will likely introduce unintended consequences:

“It trumps all law in authorizing companies to share user Internet communications and data that qualify as ‘cyber threat indicators,’ [and] does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities.”


On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer. We read constantly about breaches at major corporations in which the attackers were found to have been inside of the victim’s network for months or years on end before the organization discovered that it was breached (or, more likely, they were notified by law enforcement officials or third-party security firms).

If only there were an easier way, we are told, for companies to share so-called “indicators of compromise” — Internet addresses or malicious software samples known to be favored by specific cybercriminal groups, for example — such breaches and the resulting leakage of consumer data and corporate secrets could be detected and stanched far more quickly.

In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data. From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today. While many business leaders fail to appreciate the value and criticality of all their IT assets, I guarantee you today’s cybercrooks know all too well how much these assets are worth. And this yawning gap in awareness and understanding is evident by the sheer number of breaches announced each week.

Far too many organizations have trouble seeing the value of investing in cybersecurity until it is too late. Even then, breached entities will often seek out shiny new technologies or products that they perceive will help detect and prevent the next breach, while overlooking the value of investing in talented cybersecurity professionals to help them make sense of what all this technology is already trying to tell them about the integrity and health of their network and computing devices.

One of the more stunning examples of this comes from a depressingly static finding in the annual data breach reports published by Verizon Enterprise, a company that helps victims of cybercrime respond to and clean up after major data breaches. Every year, Verizon produces an in-depth report that tries to pull lessons out of dozens of incidents it has responded to in the previous year. It also polls dozens of law enforcement agencies worldwide for their takeaways from investigating cybercrime incidents.

The depressingly static stat is that in a great many of these breaches, the information that could have tipped companies off to a breach much sooner was already collected by the breached organization’s various cybersecurity tools; the trouble was, the organization lacked the human resources needed to make sense of all this information.

We all want the enormous benefits that technology and the Internet can bring, but all too often we are unwilling to face just how dependent we have become on technology. We embrace and extoll these benefits, but we routinely fail to appreciate how these tools can be used against us. We want the benefits of it all, but we’re reluctant to put in the difficult and very often unsexy work required to make sure we can continue to make those benefits work for us.

The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches. Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.

Having read through the proposed CISA bill and its myriad amendments, I’m left with an impression perhaps best voiced in a letter sent earlier this week to the bill’s sponsors by nearly two-dozen academics. The coalition of professors charged that CISA is an example of the classic “let’s do something law” from a Congress that is under intense pressure to respond to a seemingly never-ending parade of breaches across the public and private sectors.

Rather than encouraging companies to increase their own cybersecurity standards, the professors wrote, “CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network.”

“CISA creates new law in the wrong places,” the letter concluded. “For example, as the attached letter indicates, security threat information sharing is already quite robust. Instead, what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them, and CISA does nothing to move us in that direction.”

Further reading: Independent national security journalist Marcy Wheeler’s take at EmptyWheel.net.

73 thoughts on “Cybersecurity Information (Over)Sharing Act?

  1. Daniel Schrader

    I haven’t read the bill, but I am concerned about “a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime.”

    The right to your day in court is an important right – and not one that should be given up casually. It sounds like all a company has to do to avoid lawsuits is share info – but what we want them to do is share info – and follow best practices in terms of security.

    This bill appears to reduce the incentive to implement effective security. That doesn’t sound like a great idea.

    1. James k

      I could not agree more with this statement. Never reduce liability to a company that ignores the warnings

    2. Philip Keibler


      With all due respect you should read the bill. It’s misleading to state that you are giving up your right to a day in court. That’s actually a right that can’t be signed away. The way I interpret the CISA is that it provides companies with a means of sharing without an overwhelming risk of litigation being the result.
      It seeks to remove the barriers that may prohibit sharing, not strip you of your rights.
      I believe the biggest issue is that it doesn’t address the conduct of the NSA or other agencies that we know are sitting on information that we could all benefit from. Granted, I’ve been a CISO in some very well known orgs for years now and I understand that “we” possess data that would help others as well. And to be frank, I share a lot of data openly with my peers in the industry. There are a number of forums that we take advantage of, conferences, email subscriptions, linkedin groups, etc.
      The problem isn’t with the private sector, it’s with the govt not sharing. It should be a 2 way street my friends.
      My $.02 anyway.

      1. lunch soon

        They already share all kinds of data about us, including assumptions that are not always correct. I don’t understand why they need a law to say they can do what they are already doing. This sounds like a way to evade responsibility for sharing to the wrong people. Could this law, as written, have shielded Experian from liability for selling to the Vetnamese guy who bought all kinds of information from them? If it is vague enough in the right places (too cynical to see that as accidental), then maybe?

        Honestly, I don’t see why corporations need to have more protections when they aren’t doing what they can in the first place.

      2. Soy Tenley

        “It’s misleading to state that you are giving up your right to a day in court. That’s actually a right that can’t be signed away.”

        A lot of laws are cleverly written to deny people “a day in court” – and allowing “you agree to arbitration” in contracts is one of those ways. In real courts of law, one has rights to appeal to a higher court. In many arbitration clauses, there is no appeal, and class action lawsuits are prohibited too.

    3. Bart

      Yup, “…a bill designed to shield companies from private lawsuits…” sure sounds like a bill designed to shield companies from liability.

    4. Bob Morningstar

      This is just another attempt to transfer or avoid liability. PCI-DSS is another example of “…it’s to protect the consumer…” when it really is a “…let’s push the liability off the banks and payment processors to the merchant…”.

      If you want the truth Follow The Money, always.

      A smart CEO would just start pushing the data in bulk to DHS; that way when the FTC, CFPB, and the lawyers start knocking on your door you can claim immunity because you “shared”.

      What a crock.

  2. Syed Rizvi

    CISA bill is not practical at all. I do believe that the intensions to introduce and vote on this bill are genuine however, the consequences are not been considered effectively.

  3. anonymous

    “…[T]he trouble was, the organization lacked the human resources needed to make sense of all this information.”

    That says it all. Until there’s education and responsibility this has no effect on the crisis.

  4. Greg D.

    I agree with your viewpoint on this, Brian. Cyber-security is best handled by the free-market, NOT by the government!

    1. MackA

      Greg D. The free market response is part of the problem. Companies do not want to spend money on IT security and the people that operate and maintain it. If your belief that private companies do a better job, why are so many being hacked? The government does not regulate their ability to secure their data.

      1. Greg D.

        That’s easy to explain. If companies do not adapt to the new reality, they will be hacked, and fall behind companies that have their act together. They will lose to the competition.
        Companies that want to have their act together, hire security experts or security firms, or invest in resources to protect their systems and data. Everyone benefits and prospers.
        Smart companies are smart with their money, dumb companies aren’t and they fall by the wayside or get acquired by a competitor.
        This is why I stated, that the free market is the answer to this problem, not government involvement. The government wants to get involved in everything just to grow bigger and have more influence on daily lives. The fine print in this CISA bill which Brian talks about here is proof of that.

        1. Angela

          The analysis of this bill doesn’t prove that there’s no role for government in regulating cyber security. That’s jumping ahead a little. This analysis simply shows that this *particular* bill is likely to do nothing meaningful to help the situation.

          “If companies do not adapt to the new reality, they will be hacked, and fall behind companies that have their act together. They will lose to the competition.”

          > Maybe. In the meantime, which is likely to be years, many individuals will be injured. That is a key role for government, especially as our world moves increasingly digital. Company data is our data.

        2. Drew

          “Smart companies are smart with their money, dumb companies aren’t and they fall by the wayside or get acquired by a competitor.”

          We’ve seen that this isn’t necessarily true numerous times just in the past two years. For example, despite the Target and Home Depot breaches, how many people still shop there?

          While I’m a fan of letting markets take care of problems in many cases, some problems are simply too complex for markets to solve. The costs of identity theft and data breaches are not adequately priced in markets, and many consumers are not adequately “rational” to not do business with companies who don’t protect their data (even when they know the company isn’t necessarily a good steward of their data).

    2. Soy Tenley

      You say “free market”
      but the corporate heads think :
      “free-of-regulation market”
      “free-of-customer-lawsuit market”

  5. Roger Grimes

    How this can be seen as something negative is beyond me. It’s VOLUNTARY. Every criticism should stop at that realization. How it would even begin to undermine other initiatives is just unbridled speculation. This is net-net good, and long overdue.

    Lastly, if you want to see privacy and security undermined, check out all the real-life, detailed security audits anyone can download and review for banks, insurance companies, and other organizations. They are essentially blueprints for hackers to determine what they need to attack in a given organization. And the law requires that they be made available to the public. It’s nuts!

    1. anonymous

      SEC. 6. Protection from liability.

      (a) Monitoring of information systems.—No cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed, for the monitoring of information systems and information under section 4(a) that is conducted in accordance with this Act.

      If I read that correctly, the mere act of monitoring exempts an organization from action. That’s reason enough to kill it.

      1. Jonathan E. Jaffe

        I’m not for CISA, but what you wrote about Section 6 does not match the reference below. Was it changed one way or the other?

        (Sec. 6) Provides liability protections to entities acting in accordance with this Act that: (1) monitor information systems, or (2) share or receive indicators or defensive measures, provided that the manner in which an entity shares any indicators or defensive measures with the federal government is consistent with specified procedures and exceptions set forth under the DHS sharing process.

        114th Congress, Senate Bill 754
        the entirety of Section 6

        Does that mean the mere act of monitoring exempts an organization from legal action? So, would Experian have still be liable for exposing 200 million financial accounts (see http://www.nc3.mobi/references/20131021-experian) in 2013 if they had been monitoring? They actually sold the information quite openly so how would monitoring have stopped that? Will the CISA bill shield others?

        So did CISA passage reflect a misunderstanding by lawmakers about technology and security? Or, is there another agenda at play? Something similar to the imposition of EMV by 10/1/2015. Was it to protect the public or move liability from one group to another? If the former, why were only 40% http://www.nc3.mobi/references/emv/#20150929 provided EMV cards by the deadline?

        I don’t know. What was passed does not seem to do what was intended. Looks good for speeches, but little else.

        Jonathan @NC3mobi

        1. annonymous

          I quoted from the bill. My analysis stands. The act of monitoring exempts an organization. It does not relieve from any other law (notice, for example). But it does offer liability protection.

      2. ipWitan

        I don’t believe what you say is accurate. it says there is no liability for the monitoring portion – not the breach itself.

        Here is another angle to contend with –

        If I have data of ABC Defense contractor, namely a services agreement. That agreement likely says that I cannot give any information about the deal to third parties or a government without notifying them first with 30 days notice. If I don’t then I may be in breach of my contract with them. Since the law would not require disclosure, e.g. a court order, and personal information about the matter, such as contact information, is compromised – I cannot give that information to someone else, except perhaps the police/FBI, etc. Perhaps this would permit the disclosure despite the agreement.

        *I didn’t read the entire legislation, but did read 106 and 104.

        1. anonymous

          The legislation says a judge will end all litigation if an organization is in compliance. Monitoring = compliance = liability protection. Be careful what you ask for.

    2. Tomi Olivia

      In the outside chance that you aren’t being facetious…

      Voluntary for whom? I’m pretty sure they aren’t going to ask me if I want my information shared with DHS (and whatever other group ‘they’ deem necessary).

      I just see this as one more step in losing our privacy and — ultimately — our freedom.

      I can’t agree that just because security is in shambles that we are supposed to give up our privacy. Granted, privacy is already an illusion, but making that “official” isn’t in any individual’s best interest.

  6. Kent K

    As noted, we have many information sharing vehicles. Various ISACs (some good, some not), professional security organizations, and ostensibly Infragard. The original Infragard charter had similar intent: get businesses to share information about threats with each other and the govt. Reality is, there is minimal government sharing…data goes in and little comes out. CISA won’t solve that problem. I concur with the “it’s a law because we need something” law.

  7. Darth V

    “We want the benefits of it all, but we’re reluctant to put in the difficult and very often unsexy work required to make sure we can continue to make those benefits work for us.”

    Sounds like society as a whole, to me. Expect the results but don’t put in the effort needed to get those results. This statement is true in so many areas, not just technology.

    “Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.”

    And this sounds like how the government has been operating for a long time. I cringe every time I hear someone say that the government needs to “do something.” Most of time time, all they really need to do is get out of the way. Makes one wonder what ulterior motives the authors/sponsors of this bill have in mind, though I think CDT is on the right track.

    1. JCitizen

      I agree, but I’m sure a lot of companies are just flat overwhelmed by the enormous data out there, and how to get it to add up for analysis on mitigation. Maybe some of the big players just need to get together and come up with some security standards, and information sharing rules. They would probably do a better job of it, since the government only seems to know how to violate our security and spy on us. I’m not sure they can be completely trusted here, but their should be something they could do to fabricate an environment where industry could then take over.

      What I think is needed is some kind of Underwriters Laboratory like the venerable UL to help industry weather the vagaries of Information Technology safety and security, much like the present lab does on industrial systems. Maybe they should actually fund UL and add this task to their repertoire!?

  8. Bill

    Breached companies should be required to pay for one year of unlimited freeze/thaw cycles with the credit agencies. Monitoring is about as useless as teats on a boar hog.

    1. Soy Tenley

      “Boar hog” is redundant.
      “useless as teats on a boar hog.”
      Where the heck did a dumb statement like that originate?

  9. B. Henderson

    Money talks. Since the root cause of the ineffective cyber security resides with corporations and the corporations do not want to spend money on the problem, the solution for the taxpayer/government to fine the corporations into near bankruptcy for each data breach. Only when the fines outweigh the cost of securing the data will the corporations choose to do the right thing.

    Protecting these corporations from lawsuits is the exact wrong thing to do. (The power of the lobbyists)

    Enabling law enforcement to access citizen data without a warrant is also the exact wrong thing to do. The road to hell is paved with good intentions.

    I work in IT. I see the problems. Management chooses to ignore the problems siting budget limitations. Funny thing… There is no budget for a 50 million dollar fine either, but they will pay it.

  10. parabarbarian

    So a bunch of people who can barely use email are going to decide how to do network security. Makes sense…

    1. Soy Tenley

      “Security” and “privacy” is something public figures, particularly politicians, don’t have much of, so they have people who do damage control to keep the criminals from emptying their financial accounts. The rest of us have only ourselves to repair the damage done by the criminals.

  11. Avid Reader

    Nice summary Brian. “Lunch Soon” is right, but only partially: “…corporations need to have more protections when they aren’t doing what they can in the first place.” The problems with ID theft and the current day crisis of data breaches started and end with the utter lack of legislation to STOP the use of US citizens’ SSNs as a widespread de facto personal identifier without limitations. CISA does nothing to resolve this. Take away THIS element, and the breaches would have presented less financial bounty to hackers – but alas, we are too late now, because over the last 20 years, the government has allowed this information to be fleeced and aggregated across supporting PII without consequences, so now we are all crime victims at the mercy of the latest hack. Know your US history: racketeering and profit motives are the lifeblood of the US, from the theft of Native lands to slavery to terror scares to current police militarization: allow or create a problem, pretend to come up with solutions, but increase power and take away citizens’ rights to protest, sue, or otherwise defend their independence. CDT is right – CISA is a backdoor attempt at Total Information Awareness (TIA) that Bush II and Cheyney et. al. cooked up in 2001, look it up; now that they have everyone scared of breaches, they’ll get your data a la NSA aggregation AND take away your rights.

    1. Nonni Mouse

      You forgot that Bush II and Cheyney also control the weather.

      1. Avid Reader

        Not the weather, just your closed mind based on your unawareness of the attempt at developing TIA as a surveillance program. It’s public record.

        1. Nonni Mouse

          Sorry to have offended your Einstein-ness. I’ll spell it out for you; the gov’t has been collecting info for decades, in varying contexts. However, their methods have changed with the invention of better methods. IOW TIA is nothing new.

          I was primarily poking fun at your ignorant strawman re that dynamic.

  12. Chris Nielsen

    I think a national system for the sharing of security information is a great idea. I will join and sell off what I learn to those willing to pay.
    Seriously, such a network could also be hacked and much of the advantage it provides may be lost.

    To me, the real problem is with basic unrestricted access to US-based computer networks and systems. I have one client that only does business inside the US. For them, we have blocked a high percentage of non-USA traffic at the server, web site, and email levels.

    This approach was driven by unending contact form spam, email spam, and hacking attempts. While all of those still exist, the level of activity is low and very manageable. If your business profile matches that of our client, you will not believe how much pressure this takes off defensive systems. Why try to figure out what traffic from [country name] is friendly when you can block the whole thing?

    If companies and ISPs were able to offer some percentage of their services that featured this, I think they could charge a little more for it and also cut costs associated with proactive and reactive security issues. If you can funnel all the bad guys into a smaller corridor then they should be easier to identify and manage.

    As an alternative to static blocking of IP ranges, I’d like to see the Government do something like what iovation.com offers it’s customers.

  13. Brian K.

    I’m conflicted on this issue. It is so easy to compromise an institution; the perpetrators only need to get it right once whereas we defenders need to be right every dang time. Using the threat feeds that are out there now are beneficial but only to a small degree in my experience, including the non-free feeds that I’ve used.

    The word prevention should never be used in the context of information security IMO. Its always about determining what is your acceptable level of risk and then finding what technologies and people resources you need to put in place to reach that acceptable level. So, maybe there should be some legal protections for companies to a point given how easy it is to be compromised. But, I’m not sure about that either presently.

    We need more context included with the intel we are feeding into our systems; not just domain names, hashes, IPs, or whatever other IOC/IOA.

    There needs to be a way to share intel among all organizations but still respect anonymity. I strongly subscribe to this idea based upon my experience.

    Not sure this is the way to do it though. Krebs is right on about not having enough human resources to properly analyze all of the data in its proper context(s).

    1. Rabid Howler Monkey

      With regard to human resources relative to information security and data breaches, both the 1976 RCRA (Resource Conservation and Recovery Act for hazardous waste management) and 1980 Superfund Acts have resulted in corporations and governmental entities adding staff members who are responsible for proper management of hazardous waste in these organizations. What’s behind this? Liability. For both organizations and employees, especially management.

      Legislation relative to data breaches should try to do the same. All that is needed is to make organizations and employees, especially management, liable for the failure to implement best security practices. Such liability for data breaches will propel most, if not all, organizations to add additional staff.

      In the environmental realm, the statutory objectives are to prevent the release of hazardous waste and substances into the environment. Thusly, preventing harm to human health and the environment. Liability, joint and several, is the stick.

      In the information security realm, the objective is to prevent the release of customer and employee data via data breaches. Thusly, preventing harm to customers and employees. Surely liability, especially joint and several liability, through statute has a role here…

  14. Rabid Howler Monkey

    Liability should actually be increased for an organization falling victim to a data breach. “The bottom line” consistently gets the attention of C-level executives. Don’t give organizations an incentive to ignore security best-practices.

    Adding personal liability for C-level executives and Board members relating to data breaches would garner even more attention.

    Finally, data breaches should allow for joint and several liability. If a zero-day vulnerability was a contributing factor to a data breach, the manufacturer of the software would become a party to any liability. Recall that in the recent Home Depot data breach, a zero-day vulnerability in Microsoft Windows software was a contributing factor. Implicit here is that corporations that charge customers for software, either through licensing or ownership, should not be allowed to inject clauses in their EULAs which absolve themselves of any liability. Imagine encountering such a license when purchasing an automobile…

    1. JCitizen

      The thing of it is to me, is who is going to come up with the best practices? Better yet where to get help doing it? I address my idea in another post here. I must admit, it is probably better to leave it to civil tort law, than let the NSA completely run the show.

      1. Rabid Howler Monkey

        Sources for best practices include the SANS Institute (mentioned in a later comment here), U.S. CERT, the MITRE corporation and the Austrailian Defence Signals Directorate, as examples. They’re out there…

        With regard to the 3-letter agency which concerns you so, I’ve made no mention of it in any of my posts. Thus, you can consider that I’m on the side of the academics with which Brian closes the article.

        I would like to expand my discussion of liability to include open-source software such as Red Hat Enterprise Linux (RHEL). Red Hat has similar language to Microsoft regarding liability in its EULA for RHEL subscriptions. So to be more clear, Red Hat, like Microsoft, should be held liable for the software wich it charges its customers for, in this case, binaries.

        Red Hat also makes RHEL source code available freely to anyone. Red Hat should not be liable for its source code which is used by CentOS, government-owned particle physics laboratories (Scientific Linux), Oracle (Oracle Enterprise Linux) and Amazon (Amazon Linux which is the default image for EC2). However, both Oracle and Amazon charge customers for use of their GNU/Linux distros and, therefore, should be held liable for its use by paying customers. I’m fairly certain that both Oracle and Amazon have similar clauses regarding liability in their EULAs as does Red Hat for customers paying for subscriptions.

  15. Felix Uribe

    I totally agree with the statement “what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them”, something that I don’t see happening anytime soon.

    Brian said it right when he said: “From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today.”

    We need leaders that appreciate that malsubjects will continue to attack and breach systems as long as these leaders understand that this is 2015, 1984 is long gone!!!

  16. Robert Scrogins

    Thanks, Brian. Looks like this is just another straw for business and organizations to grasp that does little to help them assume responsibility for their own security and act accordingly.


  17. Sean

    “Crawl before you walk”

    Top 20 Security Controls recommend by SANS should be considered the starting point for organizations.

    Companies need to start with this, then later on they can play with the sexy new security toys that are out on the market.

  18. Renegayde

    I had already closed all of my, and my family’s, social media accounts over the last couple of years. We will now only communicate via encrypted means…red phone, text secure, silent circle, encrypted email and internet VPN. It is relatively easy to do these days. As far as purchases, cash and prepaid cards cover most expenditures, but we still have some work to do there.

    I can take care of myself, I do not need the government to “help”.

  19. blah

    I wonder whose behind this… Dianne Feiiiiiiiiiinstein, oh vey, it’s another shoah.

    American sheep love being slaves.

  20. Ron G.

    This (CISA) is just what we need! Gosh yes! Let’s all give corporations more incentives… including blanket immunity… to share our personal data with the completely trustworth U.S. Government.

    After the NSA is done licking all that up, perhaps the guberment will also put a copy of all the data onto the computers of the Office Of Personnel Management (OPM)… you know… just for safe-keeping.

    Physician, heal thyself!

    The only thing that’s going to come out of this new data sharing is a bigger pile of data… i.e. a bigger magnet for the hackers who have more brains, skill, and motivation than any of the government people who will be tasked with securing the data… which is to say, all of them.

  21. Medicalquakc

    The liquor distribution business in the US is valued at $150 billion a year, the data selling business is valued at $180 billion a year, and the difference between the two besides $30 billion is the fact that we “know” who the alcohol distributors are in the US, don’t know who’s selling our data.

    The boneheads either on purpose or out of stupidity keep ignoring one fact, we need to index and license all those who sell data, as “who are they”..and how are they contributing towards issues with cyber security. If it was not for the money, this would not be such a big problem. Pam at the World Privacy Forum has agreed with me a couple years ago, you need to start somewhere so all the dumb lawyers who think legal verbiage alone can help, are very, very stupid. You can read my campaign here and watch some videos on the topic and learn a lot about who’s selling your data and creating “scores” from it to sell as well.


    You don’t get anything any better with the last White House executive order, as Obama just opened the door for more secretive mining and scoring of our data, the only condition to be met is that you are doing some kind of research for a government agency. Well how hard is that to tweak?

    All this Excess Scoring of US consumers is not only restricting access but it is also putting you in a cesspool of serfs that are at the mercy of those with money in our digital caste system in the US, so any wonder hackers want all this information? One of the Anonymous folks on Twitter confirmed that there are quants and mathematicians on the dark side that are very talented who help keep it all going.


    1. Anonymous Cow

      I’m a little late to this party, but your analogy between liquor businesses and data businesses brings up the issue of licensing.

      In my area anybody who wants to engage in any aspect of the liquor industry must apply for a license before the fact. Licenses are broken up into groups for production, distribution, and sales. If the producer/distributor doesn’t have their own trucks and drivers any company they contract with for deliveries must be licensed as ‘conveyers’. Out of state entities who want to sell or distribute within the state must also be licensed. Any licensed business that changes ownership requires the new owners to go through an ‘acquisition of control’ application. And all license applications require a public posting/public comment period.

      Other types of businesses are subject to similar licensing processes. So why not data brokers or the like?

  22. Dan

    Wow, there is so much naivety about what the NSA does that it dumb founds me that people comment on things that they do not know nothing about. First go check out the Mission Statements on http://www.nsa.gov and learn the USA doesn’t spy on you nor does it spy on our allies to share that information. They are a Foreign Intelligence Oriented Agency. You all think you know everything there is about the NSA based upon the over sensationalized reports done by various media agencies post traitor leaks, that you have become naive.

    CISA is a good step forward to monitoring our critical infrastructure which can be taken down, and then you people who rely on the internet for 90% of your lives would have nothing to do.

    1. Avid Reader

      Really?? Read the “mission statement???”

      You should read James Bamford’s books: start with “The Puzzle Palace,” not the propaganda link. And consider recent press coverage (try PBS’s Frontline broadcasts) what the NSA does to its own when they dare to reveal the extent of Constitutional overreach that is going on with respect to citizen’s personal privacy and free speech.

      1. Dan

        Yeah its called punishing traitors and those willing to commit treason possibly due to retaliation. They get what they have coming to them they signed various documents to protect classified information, and as such they want to violate that and as such they should get punished. They are not whistle blowers, heroes, patriots, or anything of the sort. They do not deserve protection under The Whistle Blower Act, and they should be punished to the fullest extent of the law for committing willful treason and sent to jail for life. Its all sensationalized propaganda to further put the US into a bad light and hope the gravest damage is done to the economy and to the millions of lives that put their lives on the line to defend and support the US Constitution, and you sir are proof that the Propaganda Machine is working well.

        1. Avid Reader

          Therein lies the problem – willful blindness and willing to accept anything dictated to you by authorities. I do, however, appreciate the healthy debate, it’s free speech and what makes America America.

          Good luck living in the Orwellian world you and those with your perspective hope to create, some – and hopefully the rest of us – will keep our eyes open, not shut, to the possibilities for abuse of the right to question and speak openly about threats from within and from those in positions of immense power and influence. This pattern has played out in history before, and never ends well; technology has unfortunately concentrated the power, capacity, and potential damage that can result.

          Be careful what you wish for.

  23. IA Eng

    HA ! This is another act of “play nice”. Its competition and the god almighty dollar. Since when have any of these places worked togther? The 3rd party resident experts go in and do their “magic” and say BS like it was a sophisticated and long winded attack that took this corporation down….when its was a user with elevated rights that bit on a phishing email or uses the same password just about everywhere.

    Crooks KNOW that these companies aren’t going to work together, and its working into their favor and will continue to do so for a very long time.

    The “EASE” for everything is the demise of many. Its easy for customers to use things (and crooks too). Its the ease in which corporations can “claim” minimal compliance. Its easy for corporations to obtain large insurance policies and fall back on them in case they haven’t dome their due diligence or due care. Software and change do not go through a vetted program like change management. And the list of issues could fill more volumes which could rebuild the universe of paper.
    Not one single “act” is going to clean up this mess. Its the organizations individual due diligence , due care and personal pride, decent morals and attention to detail that get the job done. No one says security has to be super expensive. Corporations have engineers that can use/modify low cost or freeware to their advantage but their hands can somewhat be tied to the almighty words – “ease of use” and “profits”.

  24. Mike

    The point to things like this is to make sure that no one can hold Apple liable for anything that the iphone/ipad can see/hear/detect/capture/read/process in regards to human behavior. Things that are to be emulated by various rival companies. It’s all just a natural governmental response to how dangerous these devices are with regard to privacy in a surveillance state.

    Keep in mind that it’s not just that Apple such such a big and powerful global company, it’s also about the large number of people across the planet that use their products (including government officials).

  25. David Thompson

    One question. If the Chamber of Commerce and, one presumes, ALEC, are promoting this, how likely is it to be of benefit to ordinary Americans?

  26. Faro

    My Target card is now a debit pin and chip card. Liability is totally on me. The pin issued was the same as another companies pin and chip card. This was well before this bills ink dried. Sent me a statement of their policy associated with the debit card as required by law. If I do not want my information shared with other companies they request mailing it in, otherwise they do so automatically. I could go on-line I guess to turn this off or spend the time and money for postage. Anyway the debit card gets a 5% discount.

  27. Daniel

    The EFF and a number of big companies i thought did not like the bill in it current format?

  28. David Humphrey

    In early 2012 my company registered the straw that broke the camel’s back in security incident awareness – Java drive-by compromises that fully illustrated the third stage in the kill-chain on a workstation compromise. It was a new awareness level that caused many companies in the New England area to re-think “sharing” of breach data. DHS wasn’t there for this, but thankfully some of the security practitioners had been employed at enough companies over the years to form an uber-employment mutual trust in order to speak with each other. The legal terminology for the ACSC (Advanced Cyber Security Council) was finally drafted to allow us all to collaborate on what we were seeing on our infrastructure, and what could be done about it. The legal terms were not easy to agree to, and I assume that we are seeing that same set of issues here.

    One of the companies having direct gov’t ties (and funding) advanced the idea of STIX and TAXI to formally share threat intelligence data on Indicators of Compromise, and we learned that using these formats and functionality, there was a way to share obfuscated client data between all of us in a relatively private way.

    Using such formats in this senate bill should be a definitive reference to sharing, and obvertly, privacy concerns. It already works. And it may be prudent to review the legal terms already being used in order tor the federal government to similarly proceed. STIX, TAXI, and the ACSC legal charter would probably be the model for this Senate bill.

Comments are closed.