Opinion: Why the information sharing bill is anti-cybersecurity
The magnitude of the Office of Personnel Management breaches grows worse by the week.
When news of the breach broke in June, OPM officials more than 4 million current and former federal employees and federal job seekers might have had their personal data compromised.听Now, government officials acknowledge the figure is more than 21 million. That means听1听in 15 Americans is directly affected by these hacks. But when you count the families of those who have been exposed, the actual number is far higher. And sources familiar with the situation say that what has been acknowledged publicly may only be the tip of the iceberg.
So, it's shocking that the Senate is considering a cybersecurity bill that would inevitably lead to government agencies collecting and storing even more sensitive information on听still more听Americans. If the bill is passed, it means that any future data breach听could听be far more catastrophic as many more Americans' data听could听be compromised.
The 听(CISA) is the brainchild of听Sen. Richard Burr (R) of North Carolina,听chairman of the Senate Intelligence Committee. While听he has touted the bill听as paving the way for听government and industry to trade valuable information about cybersecurity threats, critics have called it a surveillance bill听in disguise. Earlier this year, dozens of civil society organizations including X-Lab (Editor's note:听Sascha Meinrath听heads X-Lab),听issued a blasting it as a de facto "back door" for dramatically expanding domestic听surveillance because it would create new mechanisms for collecting Americans' data.
After reading the latest version of this bill, not only do we agree with this assessment, but our critique goes much further.
CISA authorizes Internet service providers to share virtually unlimited personal identifying information (PII) on huge numbers of individuals based upon undefined "cyberthreat indicators," all without judicial review or any indication of actual wrong-doing (e.g., guilt by association would likely be enough to target both you and everyone you know).
Our colleague, Jennifer Granick, 听some of the implications. "Imagine you are the target of a phishing attack: Someone sends you an e-mail attachment containing malware. Your e-mail service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It鈥檚 the Department of Homeland Security (DHS), and they鈥檙e curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your e-mail company please share all your e-mails with the government? Knowing more about you, investigators might better understand the attack."
Not only is that scenario likely, but by collecting personal information and storing it in a massive government data warehouse, CISA will dramatically increase everyone's vulnerability in future hacking attacks.
Given the federal government鈥檚 abysmal track record when it comes to protecting its own data, the likelihood of another serious breach remains high. In essence, CISA will make everything you do and say online less safe and more susceptible to government eavesdropping.
In short,听CISA is anti-cybersecurity and it鈥檚 a recipe for making existing problems far worse.
Fortunately, solutions exist for helping prevent the kinds of data breaches that are currently plaguing our government, and they don鈥檛 necessarily require Congress to pass new laws. Instead, we need government to take a fundamentally different approach to data and cybersecurity.
As former OPM director Katherine Archuletta told a Senate committee in June before her resignation, one of the OPM breaches occurred because an outside contractor鈥檚 username and password were compromised 鈥 giving the hackers seemingly legitimate and widespread access to government databases. But left unanswered was why so much personal information on federal employees, retirees, or job seekers was available to a single user in the first place.
Likewise, this breach makes clear that this information is not encrypted within these databases by default, and does not require separate access to an encryption key to unlock a someone's file or otherwise access their data. That should be the case given the highly sensitive nature of this information. It鈥檚 also fair to ask why OPM and other federal agencies with sensitive information aren鈥檛 investing resources in encryption concepts that hold the promise of making databases more secure.
In 2009, IBM researcher Craig Gentry developed the first functioning form of 听鈥撎齛 kind of encryption that allows someone to query encrypted information for a specific piece of data without that data being decrypted and putting that information at risk of exposure. Mr. Gentry鈥檚 work is ongoing, and there are still some to overcome, but his approach is extremely promising and it should be a key area of focus for both government and private sector efforts to secure databases containing personal information.听
In the meantime, the federal government should avoid implementing ill-conceived "information sharing" surveillance schemes like CISA, cease-and-desist its efforts to public key encryption, and terminate existing mass surveillance programs that accumulate more personal information on government IT systems that have proven time and again to be insecure and that have done almost .听
Patrick G. Eddington is a policy analyst in Homeland Security and Civil Liberties at the Cato Institute, and an assistant professor in the Security Studies Program at Georgetown University. Follow him on Twitter听.
Sascha Meinrath is the director of X-Lab, a tech policy think tank, and a cofounder of the Civil Liberties Coalition, a pan-partisan coalition that fights to ensure that surveillance does not infringe upon our fundamental constitutional rights. Follow him on Twitter
听
