Wednesday, March 18, 2015

What ever it is, CISA isn't cybersecurity

In the next couple months, Congress will likely pass CISA, the Cybersecurity Information Sharing Act. This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.

They did not consult us security experts when drafting this bill. If they had, we would have told them the idea doesn’t really work. Companies like IBM and Dell SecureWorks already have massive “cybersecurity information sharing” systems where they hoover up large quantities of threat information from their customers. This rarely allows them to prevent attacks as the CISA bill promises.

In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.

While CISA won’t prevent attacks, it will cause mass surveillance. Most of the information produced by countermeasures is in fact false-positives, triggering on innocent anomalies rather than malicious hackers. Your normal day-to-day activities on the Internet occasionally trigger these false-positives. When this information gets forwarded to law enforcement, it puts everyone in legal jeopardy. It may trigger an investigation, or it may just become evidence about you, for example, showing which porn sites you surf. It’s mass surveillance through random sampling.

That such mass surveillance is the goal is demonstrated by several clauses in the bill, such as how the information can be used in cases of sexual exploitation of minors. If CISA were about prevention, then it would be useless in such cases. But CISA isn’t about prevention, it’s about gathering information after the fact while prosecuting a crime.

Even if CISA could work, it would still be dampened by the fact that government is both incompetent and corrupt. The FBI and DHS do not have adequate technical expertise. We can see that from the incomplete and incorrect warnings they produce. That they are corrupt is demonstrated by whether something is a “cyber threat indicator” changes according to what is politically correct. Who receives the best information depends upon who is best politically connected. CISA even calls for loyalty oaths to the United States before the government will even consider sharing threat information. Conversely, the FBI today regularly threatens people to suppress them from sharing cyber threat information that would embarrass the politically connected.

I know all this because I’m one of the foremost experts in this field. I created BlackICE Guard, the first intrusion-prevention system (IPS). The IPS is one of the biggest producers of information the government wants to get their hands on. The IPS is also one of the biggest consumers of threat intelligence that government proposes sharing in the other direction. I have sat in the monitoring center gathering data from thousands of customers, and know from personal experience that it’s of limited value in preventing attacks. When I was favored by the FBI, I received special threat information others did not. When I was not in favor with the FBI, I received threats trying to stop me from embarrassing the politically connected.

In summary, CISA does not work. Private industry already has exactly the information sharing the bill proposes, and it doesn't prevent cyber attacks as CISA claims. On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance. Even if it could work and privacy could be protected, CISA creates a corrupt system for the politically connected. This is a typical bad police state bill, and not one that anybody should take seriously as something that would stop hackers.

No comments: