Cybersecurity Information Sharing Act Sets Back Privacy -- Redmondmag.com

The Schwartz Report

Cybersecurity Information Sharing Act Sets Back Privacy

Passing the Federal budget before the end of the year was a key priority and became a fortuitous opportunity for Congress to slip in the controversial Cybersecurity Information Sharing Act of 2015 into the spending bill, which President Obama on Friday signed into law. IT providers Amazon, Apple, Google, Microsoft and others have opposed measures in CISA, which seeks to thwart crime and terrorism but facilitates mass surveillance via the sharing of information between companies and the government, notably the National Security Agency.

CISA, as described by Wired, creates an "information-sharing channel, ostensibly created for responding quickly to hacks and breaches [with the affect that it] could also provide a loophole in privacy laws that enabled intelligence and law enforcement surveillance without a warrant." The law also allows the president to create portals for law enforcement agencies to enable companies to facilitate the sharing of that information.

Alarming privacy advocates more is that an earlier version of the bill "had only allowed that backchannel use of the data for law enforcement in cases of 'imminent threats,' while the new bill requires just a 'specific threat,' potentially allowing the search of the data for any specific terms regardless of timeliness," read the Wired article.

Privacy advocates such as the Electronic Frontier Foundation have staunchly opposed CISA and waged a strong campaign against it in 2015. In a statement back in March, the EFF argued the risks of CISA: "Under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government," it said. "Its new role in the bill mandates DHS send information to agencies -- like the NSA -- 'in real-time.' The bill also allows companies to bypass DHS and share the information immediately with other agencies, like the intelligence agencies, which ensures that DHS's current privacy protections won't be applied to the information. The provision is ripe for improper and over-expansive information sharing."

No Tradeoff Between Privacy and Security
CISA aside, the debate over privacy versus how far the government should engage in surveillance to protect the U.S. from crime and terrorist attacks will remain a focal issue in 2016. Apple CEO Tim Cook reiterated his company -- and IT community at large -- won't back down on its position that Americans shouldn't compromise their privacy to give law enforcement access to encrypted data. While saying Apple complies with subpoenas, Cook said on last night's 60 Minutes that people should not have to give up their privacy so that law enforcement can provide security.

"I don't believe the tradeoff here is privacy versus national security," Cook told Charlie Rose. "I think that is an overly simplistic view. We're America -- we should have both." Cook and Microsoft President and Chief Counsel Brad Smith are steadfast proponents of that notion.

When I sat down with Smith and several other IT journalists a few months ago, Smith said "we will protect you from being attacked. Your data is private, it's really your data, it's not our data and it's under your control."

Microsoft Corporate VP Scott Charney testified back in January before the U.S. Senate Committee on Homeland Security and Governmental Affairs at a hearing entitled: "Protecting America from Cyber Attacks: the Importance of Information Sharing." In a blog post following his testimony, Charney spelled out where Microsoft stands. "Information sharing forums and processes need not follow a single structure or model, and governments should not be the interface for all sharing," he said.

A Key Issue Among Presidential Candidates
While their positions on information probably won't solely determine the outcome of the presidential election in 2016, candidates are making their positions known -- or are dodging the issue. I noted last week where the Republicans candidates stand. During the debate among the top three Democratic presidential candidates Saturday night in New Hampshire, it appeared only Martin O'Malley was the clearest opponent of giving the Feds more access to user data. "I believe that we should never give up our privacy; never should give up our freedoms in exchange for a promise of security," O'Malley said.

Front-runner Hillary Clinton acknowledged she doesn't understand much of the technology saying "maybe a back door is the wrong door" but adding that "we always have to balance liberty and security, privacy and safety, but I know that law enforcement needs the tools to keep us safe."

The debate question by ABC's Martha Raddatz arose following FBI Director's James Comey's testimony Dec. 9 before the U.S. Senate Judiciary Committee in which he argued for voluntary measures between tech providers and law enforcement such as smartphone makers to no longer offer unlocked phones that would enable encrypted communications. "It's actually not a technical issue; it's a business model question," Comey said. "A lot of people have designed systems so that judges' orders can't be complied with ... The question we have to ask is: should they change their business model?"

How hard of a line would you like to see IT and communications providers to take on this issue?

Posted by Jeffrey Schwartz on 12/21/2015 at 10:32 AM

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.