Avatar of admin


Why the Information Sharing Bill Is Anti-Cybersecurity

July 22, 2015 in Economics

By Patrick G. Eddington, Sascha Meinrath

Patrick G. Eddington and Sascha Meinrath

The magnitude of the Office of Personnel Management breaches grows worse by the week.

When news of the breach broke in June, OPM officials said more than 4 million current and former federal employees and federal job seekers might have had their personal data compromised. Now, government officials acknowledge the figure is more than 21 million. That means 1 in 15Americans is directly affected by these hacks. But when you count the families of those who have been exposed, the actual number is far higher. And sources familiar with the situation say that what has been acknowledged publicly may only be the tip of the iceberg.

So, it’s shocking that the Senate is considering a cybersecurity bill that would inevitably lead to government agencies collecting and storing even more sensitive information on still more Americans. If the bill is passed, it means that any future data breach could be far more catastrophic as many more Americans’ data could be compromised.

The Cybersecurity Information Sharing Act (CISA) is the brainchild of Sen. Richard Burr (R) of North Carolina, chairman of the Senate Intelligence Committee. While he has touted the bill as paving the way for government and industry to trade valuable information about cybersecurity threats, critics have called it a surveillance bill in disguise. Earlier this year, dozens of civil society organizations including X-Lab (Editor’s note: Sascha Meinrath heads X-Lab), issued a letter blasting it as a de facto “back door” for dramatically expanding domestic surveillance because it would create new mechanisms for collecting Americans’ data.

The Cybersecurity Information Sharing Act would give the government carte blanche to collect and store more data on Americans, putting everyone’s information at greater risk.”

After reading the latest version of this bill, not only do we agree with this assessment, but our critique goes much further.

CISA authorizes Internet service providers to share virtually unlimited personal identifying information (PII) on huge numbers of individuals based upon undefined “cyberthreat indicators,” all without judicial review or any indication of actual wrong-doing (e.g., guilt by association would likely be enough to target both you and everyone you know).

Our colleague, Jennifer Granick, spelled out some of the implications. “Imagine you are the target of a phishing attack: Someone sends you an e-mail attachment containing malware. Your e-mail service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security …read more

Source: OP-EDS

Leave a reply

You must be logged in to post a comment.