The Cybersecurity Information Sharing Act (CISA) passed the Senate with a vote of 74-21, and will now be merged with two other similar bills before reaching President Obama.

The CISA is intended to reduce the amount of corporate data breaches by permitting companies to share data regarding potential cyber threats with the Department of Homeland Security (DHS). The general concept is that if a company gets hit with a cyber attack the federal government would receive an alert message, prompting the distribution of warnings to other U.S. companies. This would allow the government to respond quickly to cyber attacks, and contain potential threats to U.S. citizens. All of this information sharing is supposed to happen automatically, and is intended to replace the industry maintained “information sharing and analysis centers” that don’t always team-up to thwart potential threats. The CISA would create a single system, that would automatically send samples of “malicious computer code” to the DHS—which would then forward that data to other government agencies—and participating U.S. companies.

Significantly, the CISA would afford liability protection to U.S. companies for sharing too much information. Almost every industry supports the bill (except the tech. industry)

While many believe the CISA’s cybersecurity enhancement is of the utmost importance, some believe that its passage would lead to unwarranted governmental information sharing on the civilian population. “The incentive and the framework it creates is for companies to quickly and massively collect user information and ship it to the government,” says Mark Jaycox, a legislative analyst for the civil liberties group the Electronic Frontier Foundation. “As soon as you do, you obtain broad immunity, even if you’ve violated privacy law.”

The CISA indicates that any roughly defined “cybersecurity threat” information that is gathered can be shared “notwithstanding any other provision of law.” However, supporters of the CISA counter that these concerns are largely unfounded. Senate Intelligence Committee chair Richard Burr recently released a list of CISA “myths”, one of which requires companies to depersonalize any information prior to sharing.

In sum, the CISA still has a long way to go before becoming law. Capitol Hill will still need to iron out the wrinkles when combining the CISA to the previous cybersecurity bills passed out of the Senate and the House. A large hurdle stands in the way of the CISA; the lack of support from the tech giants who contend that information sharing does not protect against cyber threats, but rather erodes users trust in the companies. However, none of that was enough to dissuade the Senate from passing the bill, 74-21.

Robert McLeod

 

 

Tagged with:
 

Comments are closed.