The Cyber Information Sharing Act (CISA) has inched another step closer to reality – but not without controversy. The US Senate Select Committee on Intelligence voted Tuesday to approve the bill, which has a stated purpose of opening avenues for information-sharing between companies and the government to combat malicious actors in a consolidated defense. But detractors say the bill doesn’t do enough to safeguard citizens’ privacy.
“Every week, we hear about the theft of personal information from retailers and trade secrets from innovative businesses, as well as ongoing efforts by foreign nations to hack government networks,” Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.), said in a statement. “This bill is an important step toward curbing these dangerous cyberattacks.”
Senator Angus King (I-Me.) weighed in as well, noting that, “For years the United States has been taking punches from cyber criminals across the globe intent on stealing intellectual property – essentially our ideas – and Americans in manufacturing states like Maine are paying the price. This bill is our counterpunch.”
The full text of the bill is expected to be released later in the month ahead of a full vote in the Senate. For now, Feinstein’s office released a list of features:
- Requires the director of national intelligence to increase the sharing of classified and unclassified cyber threat information to the private sector, consistent with the protection of sources and methods.
- Authorizes individuals and companies to monitor their own computer networks and those of their consenting customers for cyber threats and to implement countermeasures to block those threats.
- Authorizes the voluntary sharing of cyber threat information by individuals and companies with each other and with the government. Such sharing is for cybersecurity purposes only and companies must take appropriate measures to protect against the sharing of personally identifying information.
- Puts in place liability protections for individuals and companies that appropriately monitor their networks or share cyber information.
- Requires federal government procedures for the receipt, sharing and use of cyber information. This includes the establishment of a “portal” managed by the Department of Homeland Security through which electronic cyber information will enter the government and be shared with other appropriate federal entities.
- Limits the government’s ability to use information it receives to cyber-related purposes to ensure it does not engage in inappropriate investigations or regulation.
- Requires reports on the implementation of these authorities by the heads of federal departments, the Privacy and Civil Liberties Oversight Board and relevant inspectors general.
Last year another cybersecurity bill, the Cyber Information Sharing and Protection Act (CISPA) passed the House, but it was dead on arrival in the Senate (and drew an Obama veto threat) because of a lack of privacy protections. A follow-up Cybersecurity Act also went nowhere but has morphed slowly over the past two years into the legislation passed this week. But post-Snowden, privacy is more top of mind than ever before.
“Without having the full text of the new bill available, it is difficult to know just how different this bill will be from the previously defeated Cyber Intelligence Sharing and Protection Act, and whether or not it has closed the various gaps that actually increase surveillance without appropriate controls,” said Steve Hultquist, CIO and vice president of customer success at RedSeal Networks, in an email. “This week's revelation that Edward Snowden had copies of actual communications even after multiple claims that he did not access them are indications of the broad issues with government surveillance and information security controls. Similarly, recent breaches at retailers and utilities indicate weaknesses in security controls. This environment seems especially volatile for the introduction of legislation that would reduce the liability of organizations who fail to protect information.”
Senators Ron Wyden (D-Ore.) and Mark Udall (D-Colo.), who voted against the bill, released a joint critique.
“Cyber-attacks on US firms and infrastructure pose a serious threat to America’s economic health and national security,” they said. “We agree there is a need for information-sharing between the federal government and private companies about cybersecurity threats and how to defend against them. However, we have seen how the federal government has exploited loopholes to collect Americans’ private information in the name of security. The only way to make cybersecurity information-sharing effective and acceptable is to ensure that there are strong protections for Americans’ constitutional privacy rights. Without these protections in place, private companies will rightly see participation as bad for business.”
They added, “We are concerned that the bill US Senate Select Committee on Intelligence reported today lacks adequate protections for the privacy rights of law-abiding Americans, and that it will not materially improve cybersecurity. We opposed the bill for these reasons, but we stand ready to work with our colleagues to address its shortcomings.”
The fact that the bill seems to lack a framework for data organization and format, along with appropriate protection, worries some in the security community.
“On one hand it’s great to see a bill like this getting traction and that we are making strides towards improving information sharing,” said Brandon Hoffman, senior director, Global BD and SE at RedSeal Networks, in an emailed comment. “On the other hand, the critique of this bill is hard to ignore. There has been significant abuse in the past with personal information. To help make this bill effective it is imperative that information scrubbing or anonymizing the information without losing the pertinent details be determined.”
One thing that everyone agrees on is that creating a system for the sharing of security incidents and context is critical.
“Creating one using proper controls and limits to protect both consumers and enterprises from exposure is equally crucial,” Hoffman said. “Walking this tightrope requires extremely high-level technical insight and depth together with a security mindset that protects all of the data involved. This bill will require close examination, and would best be deeply vetted in public.”