Stanford CIS

Sloppy Cyber Threat Sharing Is Surveillance by Another Name

By Jennifer Granick on

Cross-posted from Just Security.

This post is the latest installment of our “Monday Reflections” feature, in which a different Just Security editor examines the big stories from the previous week or looks ahead to key developments on the horizon.

Imagine you are the target of a phishing attack: Someone sends you an email attachment containing malware. Your email service provider shares the attachment with the government, so that others can configure their computer systems to spot similar attacks. The next day, your provider gets a call. It’s the Department of Homeland Security (DHS), and they’re curious. The malware appears to be from Turkey. Why, DHS wants to know, might someone in Turkey be interested in attacking you? So, would your email company please share all your emails with the government? Knowing more about you, investigators might better understand the attack.

Normally, your email provider wouldn’t be allowed to give this information over without your consent or a search warrant. But that could soon change. The Senate may soon make another attempt at passing the Cybersecurity Information Sharing Act, a bill that would waive privacy laws in the name of cybersecurity. In April, the US House of Representatives passed by strong majorities two similar “cyber threat” information sharing bills. These bills grant companies immunity for giving DHS information about network attacks, attackers, and online crimes.

Sharing information about security vulnerabilities is a good idea. Shared vulnerability data empowers other system operators to check and see if they, too, have been attacked, and also to guard against being similarly attacked in the future. I’ve spent most of my career fighting for researchers’ rights to share this kind of information against threats from companies that didn’t want their customers to know their products were flawed.

But, these bills gut legal protections against government fishing expeditions exactly at a time when individuals and Internet companies need privacy laws to get stronger, not weaker.

Worse, the bills aren’t needed. Private companies share threat data with each other, and even with the government, all the time. The threat data that security professionals use to protect networks from future attacks is a far more narrow category of information than those included in the bills being considered by Congress, and will only rarely contain private information.

And none of the recent cyberattacks — not Sony, not Target, and not the devastating grab of sensitive background check interviews on government employees at the Office of Personnel Management — would have been mitigated by these bills.

None of this has stopped private companies from crowing about their need for corporate immunity, but it should stop Congress from giving it to them. We don’t need to pass laws gutting privacy rights to save cybersecurity.

These bills aren’t needed and aren’t designed to encourage sharing the right kind of information. These are surveillance bills masquerading as security bills.

Instead of removing (non-existent) barriers to sharing — and undermining American privacy in the process — Congress should consider how to make sharing worthwhile. I’ve been told by many entities, corporate and academic, that they don’t share with the government because the government doesn’t share back. Silicon Valley engineers have wondered aloud what value DHS has to offer in their efforts to secure their employer’s services. It’s not like DHS is setting a great security example for anyone to follow. OPM’s Inspector General warned the government about security problems that, left unaddressed, led to the OPM breach.

And there’s a very serious trust issue. We recently learned that the NSA is sitting on the domestic Internet backbone, searching for foreign cyberthreats, helping the FBI and thinking about how to get authority to scan more widely. You can see the lifecycle now. Vulnerable company reports a threat to DHS, NSA programs its computers to search for that threat, vulnerable company’s proprietary data gets sucked in by FBI. Any company has to think at least twice about sharing how they are vulnerable with a government thathoards security vulnerabilities and exploits them to conduct massive surveillance.

Cybersecurity is a serious problem, but it’s not going to get better with Congress doing whatever it politically can instead of doing what it should. It’s not going to get better by neutering the few privacy protections we have. Good security is supposed to keep your information safe. But these laws will make your private emails and information vulnerable. Lawmakers have got to start listening to experts, and experts are saying the same thing. Don’t just do something, do the right thing. And if you can’t do the right thing, then don’t do anything at all.