Eli Dourado and Andrea Castillo of the Mercatus Center Technology Policy Program at George Mason University outside Washington told reporters Tuesday that the Cybersecurity Information Sharing Act was unnecessary and there were other ways to crack down on cyber threats without widespread information sharing among companies and with the government.
It would also allow law enforcement access to the info in cases of fraud, ID theft, or imminent harm.
The bill, which ISPs back and which passed 14-1 out of the Senate Select Committee March 13, would make it easier for ISPs to share cyber threat indicators (CTIs) – usually computer code – and to take defensive measures to counter such attacks from botnets, viruses, malware and more.
The legislation authorizes voluntary sharing of cyber threat information between companies and with the government, with the stipulation that companies have to take "appropriate measures" to protect against sharing personally identifiable information. It includes liability protections for companies and individuals who do share information.
In a press conference with reporters, Dourado said the businesses that favored the bill did so not because they thought it would improve cybersecurity, but because the bill would give them impunity from lawsuits for sharing too much info or the wrong info so long as they acted in good faith.
He said CISA would not improve the state of cybersecurity for a number of reasons. First, he said he and Castillo had identified 20 government programs already involved in data sharing and that if they had not sufficed, there was no reason to think a 21st would be a game changer. He also said that the government was no great steward of data itself, pointing to the OMB hack of millions of records as an example, but hardly the only one.
Third, he said, the years-long CISA effort is a distraction from other measures the government could take that would be more likely to succeed.
Those, said Castillo, would include strengthening encryption, rather than weaken it. The Administration has suggested that back-doors need to be included in hardware and software so law enforcement can get to the data, ostensibly for national security reasons. Castillo called it a "war on encryption" that has to stop.
She also said the government could share more information without the bill, like vulnerabilities it knows about but haven't declassified so others know about the bugs.
Dourado and Castillo both suggested the bill was more about surveillance than protection, something cable operators backing the bill have argued is not the case.