Question

Congress was slow to pass legislation on cybersecurity information sharing. The Cybersecurity Information Sharing Act (CISA) of 2015 followed at least ten years of discussion. Consider the electric power grid and the threats it faces, what are the limitations of the CISA and provide two changes/additions would you recommend?

Answer 1

Answer:-

what are the limitations of the CISA

There are two basic problems with the so-called Cybersecurity Information Sharing Act, which is scheduled for possible amendment in the Senate on Tuesday. The first is everything the bill, generally approved by the Senate last week, does. The second is everything it doesn’t do.

The bill is so obviously badly written—with overly broad, ill-defined language—that the privacy and consumer groups that long have opposed it increasingly are finding allies in tech companies like Apple, Twitter, and Google, which have gone public with their own opposition. (Disclosure: My employer, R Street Institute, is on record as opposing CISA. So are many of my previous employers and colleagues, including the Electronic Frontier Foundation and the Wikimedia Foundation.)

In effect, the bill aims to sidestep search warrants and other pesky due-process limitations on government by giving technology companies a motive to “share” what it calls “cyber threat indicators” to the Department of Homeland Security. S. 754gives tech companies—which receive troves of data from Internet users—huge incentives (like protection from legal liability) for “voluntarily” sharing these potential “cyber threat indicators” with government agencies.

What’s a “cyber threat indicator”? Section 2 of the bill (full text here) offers a definition so broad that it’s hard to be certain, even after multiple rereadings, what this term doesn’t include. It appears to cover any “information” that would “describe or identify” any “method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability.”

This language could apply to anything. Example: I already have lawful access to my own computers. But what if someone writes up a cautionary note about how to delude me, perhaps through a phone call, into voluntarily giving over my passwords to these systems. She then sends it to me by private email so I can check whether she’s right. But if she does so, isn’t she describing or identifying a method to cause me, with my legitimate access, to defeat my own security-control tools? The law would allow Google (my email provider) to voluntarily share that private email with DHS. That seems like a bad, unintended outcome.

And as Robyn Greene of New America’s Open Technology Institute explains in detail, other provisions extend the scope of this new kind of surveillance well beyond “cybersecurity”

CISA and provide two changes/additions would you recommend?

1. Since cybersecurity is a continuous phenomenon, the CISA Working Group added the evaluation of threats and opportunities related to emerging technologies, regulations and industry standards.
2. Performing technical security tests is essential to identify threats and vulnerabilities.
3. IT practices and policies are critical factors for organizations’ security. Therefore, organizations always identify new opportunities for process improvement in IT practices and policies
4. Streamlining audit processes will require the use of data analytics tools
5. To improve control and quality of information systems, it is essential to provide guidance and consulting services to the organization