The Cybersecurity Information Sharing Act (CISA) passed the Senate on October 27th. The purpose of the bill is to open channels of communication between government entities and corporations to help identify cybercriminals or potential cybersecurity threats for the purpose of defending our cyberspace and identifying and prosecuting hackers.
A key component of the bill gives private companies legal immunity for sharing data with the federal government, any information shared is specifically shielded from the Freedom of Information Act. The purpose of the CISA is to allow private and public entities to quickly report and disseminate information about new threats and vulnerabilities. Supporters are underscoring how the government is finally taking action on cybersecurity and internet data breaches.
Previous attempts to pass the bill failed due to concerns private information could be mistakenly shared and misused by the government. Recent cyberattacks intensified the push for greater protections including Russian hackers penetrating White House computers and attacks on internet based retail businesses. The threat is being taken seriously with the FBI now putting cyberspace security threats a top priority and President Barack Obama’s proposed 2016 budget granting $14 Billion for cybersecurity efforts, an increase of $1.5 billion over this year’s spending.
The bill allows sharing of information between private entities and the federal government including the NSA, CIA, IRS, local police, and other government agencies. Privacy advocates opposed the bill for its lack of legal recourse if incorrect information is shared. The lack of adequate privacy protection opens the door for any type of surveillance, even government surveillance that previously required a warrant.
Senator Ron Wyden from Oregon in a dissenting view of the bill said “I oppose this bill because I believe its insufficient privacy protections will lead to large amounts of personal information being shared with the government even when that information is not needed for cybersecurity.” An amendment was rejected from Senator Wyden requiring companies remove personal data before sharing information, unless that information is necessary to identify a threat. There have also been objections from the Deputy Secretary of the Department of Homeland Security on the weak privacy protections and the broad sharing provisions of cyber threat information shared with other government agencies including the Attorney General’s office. According to the Homeland Security Watch blog DHS will play a key role brokering private/private and private/public information flows funneling the vast majority of CISA data through DHS. This was a key compromise the bill’s backers struck to win the support of on-the-fence lawmakers.
A vaguely worded definition of a cybersecurity threat in the bill opens the door for monitoring any internet communication. The bill allows companies and the government the ability to monitor private users without a warrant which circumvents the Fourth Amendment according to privacy advocates. The Fourth Amendment protects against government actions, not private entities, so information passed from third parties to the government is not protected under the Fourth Amendment, unless the third party is acting as an agent of the government. Privacy advocates are calling for a new law that would limit evidence gathered by private entities they can’t gather themselves. In the case of a service provider like a cable company, the internet provider would be the private entity or an investigative entity given access to the provider network.
The way CNN described the CISA bill is “Every cyberattack is like a flu virus and CISA is intended to be a lightning fast distribution system for the flu vaccine. Opt in and you get a government shot in minutes, not months.” In my opinion this is a long overdue bill that will immediately improve the reaction time to any cyberattacks, inside and outside of the US. Private businesses have used a blend of security consultants, security device manufacturers, and internet resources to mitigate attacks. The intent of the bill to raise a stronger cyber security presence is definitely needed and will greatly enhance both the accuracy and speed to counter cyberattacks. The bill needs some tuning to address privacy concerns and definitions to internet monitoring. Granting sweeping powers to the government with little control and oversight needs to be addressed. The act is now on its way to the House for consideration.