How the OPM Hack Demonstrates the Need to Improve CISA

The recent mass breach of computers at the Office of Personnel Management (OPM) has increased pressure on Congress to act to enhance cybersecurity. However, the OPM hack demonstrates the importance of strengthening the Cybersecurity Information Sharing Act (CISA, S. 754) in two important ways that would not undermine the goals of the legislation. First, information shared under the bill by the private sector with the government should go to the Department of Homeland Security National Cybersecurity and Communications Integration Center (DHS NCCIC) and not to any government agency, as would be permitted under the current bill. This would direct the flow of cyber threat indicators to an entity that was created to receive and protect them. Second, the requirements to eliminate personal information from cyber threat indicators before they are shared should be strengthened. If less personal information is shared, less personal information is available to the bad guys when they break in.

CISA Should Direct the Cyber Threat Indicators that Companies Share to the DHS NCCIC

CISA authorizes private entities share cyber threat indicators (CTI’s) with any department or agency within the federal government (Sec. 3(c)(1)). Many agencies do not have the operational ability to receive, store, and process these data, or – as the OPM breach demonstrates – the security protocols and experiences to adequately protect personal information.

A far better path would be to follow the model of Rep. McCaul’s National Cybersecurity Protection Advancement Act (H.R. 1731), passed in the House earlier this year. That legislation required that companies sharing cyberthreat indicators share them with the DHS NCCIC. The NCCIC was created to receive, process, and protect sensitive cyber data. Requiring all private-to-government sharing be directed at this entity would enhance data security and operational functionality.

CISA Should Require Implementation of Adequate Privacy Protections Before Information Is Shared.

CISA requires that all information shared with the federal government be automatically and instantaneously shared with a range of federal entities (Sec. 5(a)(3)(A)(i)).[1] However, this sharing would occur without full application of privacy protections. The bill requires that automated sharing occur in “real-time” without any “delay, modification, or any other action” that would impede instantaneous receipt by all other designated agencies (Sec. 5(a)(3)(A)(i)). This would prohibit any privacy protections – including redaction and removal of unnecessary personal information – that would require any human effort or review.

Thus under CISA, personal data could be instantly distributed to over half a dozen federal departments without adequate privacy protections, and would then be vulnerable if computer networks in any of these entities were breached. In contrast, the Protecting Cyber Networks Act (H.R. 1560, passed in the House earlier this year) requires sharing not be subject to “delay, modification, or any other action without good cause that could impede receipt” (emphasis added). This provision would better protect privacy and data security than CISA. Additional language should be added to make it clear that application of the privacy policies to be created by the bill constitute “good cause.”

CISA Should Be Amended To Strengthen Requirements To Remove Personal Information Before Cyber Threat Indicators Are Shared.

CISA’s requirement to remove personal information (Sec. 4(d)(2)) is riddled with loopholes that can be closed without harming the goals of the legislation. Closing the loopholes in three ways would mean less personal information is available if (and when) computer systems are penetrated again:

1. CISA does not require that companies “take reasonable efforts” to review cyber threat indicators or remove personal information before sharing – any review, even if it were cursory and ineffective, would be sufficient. Both House information sharing bills (H.R. 1731 and H.R. 1560) require a benchmark of “reasonable” efforts be taken, ensuring that attempts to review and remove personal information before sharing are effective.
2. Even if an acceptable review were to occur, CISA only requires companies to remove personal information they “know” is unrelated to a cybersecurity threat. This could lead companies to take a “default share” policy for personal information, and always include it unless there is a rare smoking gun demonstrating irrelevance. Both House information sharing bills address this loophole as well, requiring companies to remove personal information that is that is “reasonably believed” to be irrelevant.
3. CISA only requires removal of information that is “not directly related” to a cyber threat, meaning that victims’ personal information (which is generally related to the threat) will often go unprotected. A better standard would require removal of information not necessary to respond to the threat.

Information Sharing Is Not a Cybersecurity Silver Bullet.

Passing CISA without addressing operational, security, and privacy issues risks new problems without providing significant benefits. Attacks from “zero-day” vulnerabilities – which were used in major recent breaches such as OPM and Sony – cannot be prevented through information sharing, because the exploit is unknown and unpatchable at the time it is used. The impact of new information authorities may actually be limited – a letter sent to Congress this April from over 65 technologists and network security experts concluded that “We do not need new legal authorities to share information that helps us protect our systems from future attacks,” and categorized information necessary to share as “far more narrow” than what is authorized by CISA. Greater focus should be placed on commonsense security measures that can prevent the infiltrations that lead to and aggravate the impact of major breaches: encrypting data, regularly reviewing and updating systems, and using multi-factor authentication.

[1] Specifically, cyber threat indicators shared under the bill must be shared with the Department of Commerce, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, and the Office of the Director of National Intelligence.