After the finish line on cyber legislation

28 Oct 2015 | Author: | No comments yet »

After the finish line on cyber legislation.

When the Senate passed the Cybersecurity Information Sharing Act on Tuesday, it did so in a manner that could not have more thoroughly or blatantly ignored the many privacy concerns surrounding the bill. One of the fights over CISA that had been flying under the radar isn’t any longer: Both the Financial Services Roundtable and Securities Industry and Financial Markets Association both made it clear that they dislike a section of the bill added by Sen.

CISA is intended to aid companies and government agencies trying to defend against computer security breaches by allowing the private and public sectors to share threat data more easily. Opposition to the bill, which would provide incentives to private businesses to share information about online threats with each other and with the federal government, was led by the Senate’s privacy hawks—Ron Wyden, Patrick Leahy, and Al Franken—and backed by civil liberties groups and tech companies who were unhappy with the bill’s privacy protections.” NEW RULES ALLOW YOU TO HACK YOUR CAR: Rules released by the Library of Congress Tuesday make it legal to hack a car, a smart TV, jailbreak a smartphone and a variety of other activities that could uncover code flaws in the emerging Internet of Things. “Almost all new cars have computers inside them, some of which suffer from serious vulnerabilities.

The Act provides legal certainty that companies sharing information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time, as well as when taking actions to mitigate cyber attacks. According to a press release by the College of Healthcare Information Management Executives (CHIME), the bill awaits presidential approval and then will be implemented. CISA would not establish a generally applicable federal standard for safeguarding personal information, nor would it enact a federal breach notification requirement.

HITRUST opposed any amendment that would weaken significant provisions including the need to safeguard privacy and civil liberties or weaken liability protection for information sharing, and encouraged establishment of appropriate roles for government agencies and departments to continue to collaborate with industry. CISA will allow healthcare cybersecurity professionals to connect with one another via a network so that they can exchange information regarding cybersecurity threats.

Despite these concerns, Americans have not been allowed to poke around inside their cars’ software to find bugs or other worrisome code,” the Daily Dot reports. “The Electronic Frontier Foundation, which had lobbied heavily to win exemptions for car software hacking, celebrated its win in a statement. ‘This ‘access control’ rule is supposed to protect against unlawful copying,’ said EFF staff attorney Kit Walsh. ‘But as we’ve seen in the recent Volkswagen scandal—where VW was caught manipulating smog tests—it can be used instead to hide wrongdoing hidden in computer code.’” TWITTER EARNINGS REPORT UNDER SCRUTINY: Twitter’s first earnings report since Jack Dorsey became the permanent CEO is under scrutiny as the site tries to grow its audience. “Twitter reported revenue of $569 million for the quarter Tuesday, and an increase in its monthly user base to 320 million — up from 316 million in the previous quarter. A companion bill has been passed in the House and, if successfully reconciled, the law will be sent to President Obama, who indicated support for the bill. FSR: SIFMA: CISA JUST THE ‘FIRST STEP’ — A common theme among CISA supporters after Tuesday’s vote was that this is just the Senate’s first step on cybersecurity. The controversy surrounding CISA relates primarily to the belief that the bill’s measures seeking greater data security come at too great a cost – privacy.

The challenge with this bill lies in defining exactly what kinds of information are—and are not—needed to help combat against computer-based threats. Once a conference bill is adopted, bill co-sponsor Dianne Feinstein told reporters, the Senate should turn its attention to protecting critical infrastructure from cyberattacks. “That’s very difficult, but the fact of the matter is, it’s only a question of time before some adversary takes out a water system or a Pacific Gas and Electric system or, God forbid, an airplane or a control system,” Feinstein said, “so the critical infrastructure of this country is going to need some more protection.” Sen.

The prediction prompted Twitter’s stock to plunge nearly 12 percent in after-hours trading,” The Washington Post reports. “‘As long as they can only provide weak forward guidance, the market will continue to punish them,’ said James Gellert, chief executive of Rapid Ratings.” Advocates of CISA believe, in general, that the sharing of cyber threat indicators or defensive measures for cybersecurity purposes and the monitoring of information systems are needed to address attacks on these systems. Burr and Feinstein folded a number of amendments that they supported into a manager’s package, which tweaked the bill with a limited increase in privacy protections, but left about a dozen others that they did not support to get individual votes. This development reinforces the significance of efforts already underway by HITRUST In coordination with the Healthcare and Public Health (HPH) Government and Private Sector Partnership for Critical Infrastructure Security and Resilience (CISR) to develop an industry-specific framework and guidance.

A denial-of-service attack might require sharing one set of information about the source and nature of malicious traffic, while ransomware distributed via email might necessitate sharing info about the signature of the malicious code or the senders and formatting of the emails being used to deliver it. Although industry is making improvements in cyber readiness and response, by singling out the healthcare industry, the Act sends a clear message that law makers are concerned with the pace of this progress. Michael Rogers that it’s “only a matter of time” before U.S. adversaries strike the nation’s critical infrastructure. “This is a first step of many steps that need to be taken,” McCain said, “but it is a most important step because it will lay the predicate for future legislation.” And earlier Tuesday, Senate Minority Leader Harry Reid blasted Republicans for blocking comprehensive cybersecurity legislation three years ago, saying CISA is “far too weak” and more is needed: “To not move forward with more comprehensive cybersecurity legislation will be considered legislative malpractice.” TECHNOLOGISTS WORRY ABOUT COPYRIGHT EXEMPTION TIMING — Dave writes this morning: “Under the Digital Millennium Copyright Act, the Librarian of Congress, with the guidance of the Copyright Office, may grant exemptions every three years for restrictions that bar consumers from breaking software protections. “Acting Librarian of Congress David Mao and Register of Copyrights Maria Pallante used that power Tuesday to let car owners know they can tinker with the computer programs controlling their cars without fear of a lawsuit.

The proposed changes would have tightened mechanisms for removing sensitive personal information from the threat indicators that would be shared under the program, specified the kind of information that could be considered threatening enough to be shared, and made certain information available to Freedom of Information Act requests. HITRUST looks forward to continued engagement with the Department of Health and Human Services (HHS) as the Secretary rolls out the provisions of CISA. Section 104 of CISA would permit a private entity to monitor that entity’s information system or the information system of another entity, including a Federal entity (with that other entity’s written consent), or the information stored on those systems – for a cybersecurity purpose. Security researchers received a greatly hoped-for copyright immunity for hacking into medical devices, cars, and consumer devices, provided they do so in the service of a ‘good faith’ investigation.

The day’s votes caught the eye of Edward Snowden, who took to Twitter to push for the privacy changes, and, when they were voted down, to shame the lawmakers who voted against them. So CISA’s broad language about allowing companies to share “threat indicators” and other “cybersecurity threat” information “notwithstanding any other provision of law” seems to sweep aside the entire existing framework of privacy law under only very vague parameters. But both groups – car enthusiasts and white hat hackers – will have to wait at least 12 months until the new exemptions carry the force of rule.” The full story, for Pros: TRUMP: CHINESE CYBER STRIKES BORDER ON ACTS OF WAR — Chinese cyberstrikes against the U.S. “border on being acts of war,” GOP presidential candidate Donald Trump told the newly launched Breitbart Tech on Tuesday.

Before taking up the bill and voting on final passage, two more individual amendments got a vote, including an especially controversial change from Sen. The members of that committee haven’t even been named and might not get their assignments for weeks, so we have time. “We’re going to move at a very slow pace,” Bill sponsor Sen.

He added that the U.S. “should counter attack and make public every action taken by China to steal or disrupt our operations, whether they be private or governmental.” It moved through the committee until last week’s Senate vote for cloture, keeping the bill on the table for discussion, as reported by HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use. Companies have the choice as to whether they want to participate in CISA’s cyber threat information sharing process, but all privacy protections are mandatory. For now, business should continue to focus on their own efforts to safeguard personal and other confidential data, and be prepared in the event they experience a data breach.

The failure of all four of these amendments—all of them fairly measured in their approach—was a strong signal of how unwilling the Senate was to place any restrictions whatsoever on this bill. As Brian Krebs points out, “The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches.” Beyond the lack of privacy protections, the lack of any mechanisms in place to assess whether the sharing it enables has measurable impacts on corporate or government security outcomes means that we are unlikely to ever really know whether it curtails privacy protections to any useful purpose, and whether the curtailment of those protections is, in fact, essential to improving security. After that, it seems unlikely that President Obama will veto, since the White House has endorsed CISA, despite threatening in 2013 to veto a similar bill, the Cyber Intelligence Sharing and Protection Act.

Our partners
Follow us
Contact us
Our contacts

About this site