CISA: A Bonanza…For Lawyers and Spin Doctors

There is a very interesting article out today in IT World that’s worth reading if you want to get a sense of who really stands to benefit regardless of the fate of the endlessly controversial Cybersecurity Information Sharing Act.

The piece quotes Mark Harrington, who, according to the story author, is “general counsel at Guidance Software, which develops and provides software solutions for digital investigations.” Here’s the key paragraph:

Harrington points out that how a company is prepared and how they handle a breach is of tantamount importance, legally speaking. ‘The government is giving favor to companies that are well-prepared and willing to cooperate.’ Harrington suggests, ‘If you don’t have the internal expertise, you should find an expert law firm, educate yourself or find a vendor.’ (emphasis added)

Let’s unpack that very information-filled excerpt.

“The government is giving favor to companies” is a perfect way to describe the anti-trust exemption and liability waiver provisions in CISA, a fact that has been heavily criticized by a number of civil society groups. But it’s Harrington’s second comment that should help us understand why CISA’s approach to online data breach prevention is a form of legislative sleight-of-hand.

It’s not just that CISA as written would trash existing privacy and civil liberties protections in current law. The bill’s authors are ignoring the fact that the real issue is the failure of federal agencies like OPM to adopt and practice sound security practices, not information sharing shortfalls, as Senator Franken has noted.

Instead of investigating why federal agencies have failed to adopt, maintain and enforce cyber security “best practices”, and requiring the adoption of new technologies and database management approaches to minimize risks from future breaches, CISA’s focus is on giving private companies complete legal and anti-trust shielding to pass along your data and mine to sit in still-vulnerable online government data warehouses — the very kind of data warehouses like the now-hacked OPM database.

One thing about CISA is very clear: it would be a “job creation” bill.

It would create new “cyberthreat consultant” opportunities for existing cybersecurity law firms, “risk management”, and “crisis communications” practices, or otherwise incentivize the creation of still more such companies. And even if CISA doesn’t become law, it and similar bills are laying the groundwork for the proliferation of public and private entities more interested in “managing” cyber threats than in developing new tools and approaches to make our online world demonstrably and sustainably more secure.

However, CISA would not create the kinds of jobs really needed to address our 21st online “Wild West” — more “white hat” hackers who can help find and plug online vulnerabilities before they become the next #OPMhack story.