The latest clash in the cybersecurity vs. privacy debate played itself out in Congress on Tuesday when the Senate passed the Cybersecurity Information Sharing Act. Supporters say the bill, approved 74-21, will help stop hackers by getting companies that have been breached to share information about the embarrassing attack with federal law enforcement. The House passed its version in April.
But CISA is very controversial. While proponents call it common sense, critics say it’s just an excuse for intelligence officials to grab data on citizens without a warrant.
Before we get to the controversy, what is the bill supposed to do?
According to supporters, there’s a big problem: an information gap. When hackers hit a private company, that company is handcuffed or tongue-tied. It can’t readily tell people outside its legal walls what happened, what suspicious Internet — IP — addresses or malware code hit it. So other potential targets can’t defend themselves.
Supporters say CISA changes that by letting companies share “cyber threat indicators” with the Department of Homeland Security, which in turn can send out the red alert, share the code and warn others.
So that doesn’t happen right now?
Well actually, it does. There are existing initiatives, coordinated by Homeland Security and the National Institute of Standards and Technology, to share threat information. There are also subscription services in the private market.
This bill creates a new pipeline. Homeland Security has to share the company’s report — which may include customers’ personally identifiable information — with the National Security Agency and other spy agencies.
The Senate bill is coming out of the Intelligence Committee, not the Commerce Committee. It had many amendments. One that failed Tuesday would have required the removal of personally identifiable information before a company shares information about threats.
Is privacy the main criticism?
Privacy is a huge issue. Tech giants, which have to rebuild trust with users following the Edward Snowden leaks, have come out against the bill for that reason.
Though another concern is simply effectiveness — or ineffectiveness. There’s a technical problem. Many companies don’t realize they’ve been attacked, either because they’re not investing in services to identify breaches or they’re not reading the data they’ve collected. According to a breach report by Verizon, this lag in detection is “one of the primary challenges to the security industry.”
Lawmakers could have focused on creating mandatory cybersecurity standards for companies, to encourage the firms to invest more in data security. A group of professors who teach cyber law and cybersecurity — and oppose CISA — say in a statement:
“Rather than encouraging companies to increase their own cybersecurity standards, CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network. CISA creates new law in the wrong places.”
Does the bill require information-sharing?
No. Cooperation is voluntary. But there’s a nice incentive built in. Say a company shares too much about its users or customers. The bill eliminates legal liability, so the company can be shielded from private lawsuits and antitrust laws.
This isn’t the first time we’ve heard about an information-sharing bill to stop hackers. Another failed in 2012. What’s different?
CISA comes at a different time, politically.
Back when Democrats controlled the Senate, they blocked a bill with a similar acronym — CISPA (the Cyber Intelligence Sharing and Protection Act) — that had the same thrust. Now Republicans control the Senate.
And on President Obama’s watch, we’ve had megabreaches like Sony and the federal Office of Personnel Management. He feels pressure to do something. Five days ago, the White House came out in support of the latest bill, saying in a memo that it’s an “important building block.”