Since the first computer virus in 1989, the US government has been struggling to keep up with the rapidly evolving world of cybersecurity. Hackers use constantly evolving methods while Congress sluggishly passes inefficient measures against these hackers. Over the past 30 or so years, multiple bills have been put in place to battle this misuse of technology. The most recent bill is the CISA.
The Cybersecurity Information Sharing Act passed in the Senate in Oct. with a whopping vote of 74-21. This bills main purpose is to help prevent data breaches like the famous Office of Personnel Managements breach that exposed the personal data of more than 20 million current and former federal employees.
CISA aims to do this by offering legal protection to companies who opt in, enabling these companies to share information without the risk of legal repercussion. In theory, when a company is attacked, the federal government is alerted immediately and the warning is distributed to all companies taking part in CISA.
Why does this need to go through Congress?
CISA eliminates a company’s liability, thus, protecting them from lawsuits for sharing too much information.
Some privacy advocates however have major concerns regarding CISA. Several senators took heed of these warnings and proposed amendments to the bill, such as requiring companies to remove personal data from any information before sharing. Ultimately, all of the proposed amendments were shut down and the bill was passed without any of the privacy reforms.
Privacy advocates also aren’t sure how much the bill will even promote data sharing to mitigate attacks. This is based on the argument that data sharing is already taking place among many companies and introducing the government has not historically improved matters. Ben Johnson, Chief Security Strategist is quoted saying in a Forbes article:
“While cyber defense, security and safety should be a top national priority, the time the federal government continues to spend on CISA demonstrates that’s not the case. Threat intelligence is already being shared bountifully. It is the processing of that information, the application of that information, the operationalizing [sic] of that information, and finally the incorporation of that information into an overarching cyber strategy and risk mitigation platform that is sorely lacking. Threat intelligence sharing is not the problem.”
CISA is also criticized for lacking clarity – the bill does not specifically define just how the information will be shared or managed. Nowhere in the bill does it disallow shared information from being used outside the scope of cybercrime investigations. On the wake of Edward Snowden’s disclosures, passing a bill that allows the NSA to gather personal information even easier, could be seen as ironic.
For those of you unfamiliar with Edward Snowden, Snowden revealed thousands of documents exposing the US governments vast reach of information gathering. Ex-NSA contractor Snowden is currently hiding in Russia and according to this CNN article, he criticizes CISA, commenting that the FBI and NSA already collect this kind of hacking data all over the internet, but CISA would allow them to collect even more directly from companies.
This bill may have good intentions, but due to its vagueness, it can be very costly and may cause problems. Some view it as progress but many view it as just another infraction on our right to privacy. Currently, CISA has only made it through the Senate and now must be combined with several other cyber security bills at the House and finally, the President must sign off on it. However, the Obama Administration has already made it clear that they support the bill.