The U.S. Senate on Tuesday voted 74-21 to pass the Cybersecurity Information Sharing Act, or CISA, in the face of strong opposition from legal and cybersecurity experts, the high-tech industry, privacy and civil liberties organizations, and members of the public.
The Act calls for the United States Director of National Intelligence, the Department of Homeland Security, the U.S. Department of Defense and the U.S. Department of Justice to share cyberthreat indicators between the public and private sectors.
It allows private entities to monitor and operate cybersecurity measures applied to their own information systems and, with permission, to those of other private or government entities. It also allows them to monitor information stored in, processed by, or transiting through monitored systems.
Personal identifying information of people not directly related to a cybersecurity threat must be removed from data that’s shared.
CISA calls for the institution of automated real-time sharing procedures and for the imposition of penalties against federal officers, employees or agents who conduct unauthorized activities.
La CISA Nostra
Private entities that exchange or provide cyberthreat indicators or help to prevent, investigate or mitigate cybersecurity threats are exempt from antitrust laws — provided they do not engage in price-fixing or anticompetitive behavior.
Cyberthreat indicators and defensive measures shared with the U.S. federal government, along with threat indicators shared with state, tribal or local governments, are deemed voluntarily shared information under the Act. They are exempt from disclosure, and the public cannot rely on laws requiring disclosure of information or records to access them.
Companies that monitor information systems or share or receive indicators or defensive measures have liability protection, so long as they follow the DHS’ sharing procedures.
The bill next goes to a congressional conference committee for reconciliation of its final language with the House-approved version, and then to the president to be signed into law.
“The passage of CISA today … shows just how badly Congress misunderstands technology, security and privacy,” the Electronic Frontier Foundation tweeted.
Ave CISA! Morituri te Salutant!
CISA “is fundamentally flawed, due to its broad immunity clauses, vague definitions, and aggressive spying authorities,” argued Mark Jaycox, a legislative analyst at EFF.
“If CISA becomes law, more Internet users’ communications information will be funneled to the National Security Agency, not as intelligence surveillance, but under the cybersecurity umbrella,” said Greg Nojeim, director of the freedom, security & technology project at the Center for Democracy and Technology.
For users, “the result is the same: less privacy and more surveillance,” he told the E-Commerce Times.
“The fact that those that share data and accidentally expose customer information are protected from lawsuits is a major concern,” noted Brian Laing, VP of products and business development at Lastline.
“Very few companies are adequately staffed with employees that have the skills to respond to major security events,” Laing told the E-Commerce Times. “There’s a high likelihood that in the event of a major incident, users’ data will be exposed.” Under CISA, those victims “would have no protection and no recourse for their exposed data.”
The biggest hacks this year occurred at Anthem, where 80 million people’s records were stolen, at Ashley Madison, where 37 million members were compromised, and at the U.S. Office of Personnel Management, where at least 25 million government workers’ personal data was breached.
Good Lovin’ Gone Bad
Hackers are exploiting the inability of law enforcement agencies to share data with each other and with private sector firms. For example, in the case of the Sony hack, the NSA might have expected it was going to happen but informing Sony wasn’t in its purview.
“Given the current climate of cyberthreats, we need something like CISA so organizations can coordinate efforts to defend themselves and us,” remarked Jonathan Sander, VP at Lieberman Software.
That said, CISA “started out with the noble and necessary mission to encourage wider sharing of cyberthreat intelligence,” he told the E-Commerce Times, “but like so many bills before it, Washington games stuffed it full of things that served other, less noble interests.”