Yesterday, S. 754, the Cybersecurity Information Sharing Act (CISA) passed through the Senate, despite protests from privacy advocates and many information security and technology companies. A related bill passed through the House earlier this year; now CISA will go through a conference stage before heading to the President.
It's not a law yet, but here are a few things to know about CISA, going forward.
1. Not all tech companies are against it
There was a big push against CISA by privacy advocates, some tech giants -- including Apple, DropBox, Salesforce, and Twitter -- and many infosec experts. Yet, it garnered support by other security pros, particularly those in the threat intelligence space.
CISA encourages private organizations to share indicators of compromise or other information related to cybersecurity by allowing them to share threat and compromise data without fear of legal liability, public exposure or the anti-trust complications that may arise from sharing info with competitors.
Paul Kurtz, former cybersecurity advisor to the White House and CEO of threat intelligence and information sharing start-up TruSTAR, called the Senate's passage of CISA "an important step forward in addressing the ongoing cyber security crisis. ... This bill will provide important liability protections for companies that choose to exchange cybersecurity threat information. However, we have also heard the message loud and clear that information sharing efforts must not cost us our privacy. Now that government has played its role by removing legal obstacles to cyber incident collaboration, it is time for industry to work together to create a privacy-preserving information sharing infrastructure.”
"The [threat intelligence] market has improved at sharing intelligence, but there are some inherent constraints that, absent some kind of an agreement like this, will unlikely be removed.” says Chris Petersen, senior vice president of products, CTO and co-founder at LogRhythm. “To make this work effectively, we need some formal agreement between the public and private sectors on steps each sector can take."
The Health Information Trust Alliance (HITRUST) also stated today it supports CISA, noting that it wouldn't support just any info-sharing legislation, and had "opposed any amendment that would weaken significant provisions including the need to safeguard privacy and civil liberties or weaken liability protection for information sharing."
2. It's been called a 'surveillance bill'
The bill does include text that ostensibly protects privacy, but other text that could allow greater cooperation between the public and private sector on surveillance activities without the need for disclosure. Section 4 of the bill states:
Requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions, and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat.
Section 5 of the bill:
Requires cyber threat indicators and defensive measures shared with the federal government and threat indicators shared with state, tribal, or local governments to be: (1) deemed voluntarily shared information, and (2) exempt from disclosure and withheld from the public under any laws of such jurisdictions requiring disclosure of information or records.
“We must be concerned with both security and privacy, and we must find an effective balance,” says Petersen. “In the face of a large-scale cyber attack, privacy will be irrelevant if we cannot defend ourselves through the effective sharing of threat intelligence. Like it or not, we are entering an age of more persistent cyber threats, and this legislation is about national defense. We should still protect privacy, while also realizing the benefits of sharing across the public and private sectors.”
On a reddit Q&A session hosted by advocacy group Fight for the Future, NSA whistleblower Edward Snowden wrote of the CISA "It's not going to stop any attacks. It's not going to make us any safer. It's a surveillance bill. What it allows is for the companies you interact with every day -- visibly, like Facebook, or invisibly, like AT&T -- to indiscriminately share private records about your interactions and activities with the government."
3. It has bi-partisan support
Tuesday, the bill, sponsored by Sen. Richard Burr (R-NC), with the amendment added by Sen. Susan Collins (R-ME), passed 74-21. The nays were a mix of 14 Democrats, six Republicans and one independent.
"We are at September 10th levels in terms of cyber preparedness," said Sen. Collins. "In light of this continuing state of cyber insecurity, the passage of this bipartisan legislation is a good first step in our effort to bolster our nation’s cyber defenses."
4. Amended CISA may create new regulation
The new provisions introduced by Sen. Collins require the Secretary of Homeland Security to develop a strategy to mitigate risk of catastrophic attacks to critical infrastructure -- "catastrophic" meaning a single attack that would result in 2,500 deaths, or $50 billion in economic damage, or severe degradation of national security. The amendment also requires DHS to conduct assessments of critical infrastructure at greatest risk of catastrophic attack.
The American Bankers Association applauded the passage of CISA, but expressed concerns about the new amendment, stating "allowing DHS to create cybersecurity standards for critical infrastructure that would have the practical impact of regulation is unnecessary and harmful."
5. It might injure trade and information-sharing across borders
The National Retail Federation, the Retail Industry Leaders Association, and the U.S. Chamber of Commerce all support CISA. Yet could enhanced sharing of information between private businesses and the U.S. government cause entities in other countries to avoid doing business with -- or sharing threat intelligence with -- American businesses?
According to Yorgen Edholm, CEO of Accellion -- a private cloud services provider that, coincidentally, counts the U.S. Senate among its customers -- "Passage of the Cybersecurity Information Sharing Act isn’t just troubling from a privacy perspective, it’s troubling from an economic perspective as well. CISA is just the latest in a long list of legislations that are stifling trans-Atlantic information sharing, including the recent invalidation of Safe Harbor agreements. If lawmakers continue to discourage international organizations from doing business with US firms, while also intruding on the privacy rights of citizens, they run the risk of jeopardizing the health of the technology sector.”
Regardless of whether CISA is signed into law, Carl Herberger, a former U.S. Air Force officer at the Pentago and current vice-president of Security Solutions at Radware says that the country needs a privacy law -- not just to protect citizens' privacy, but to protect the economy.
"Without a law governing the human aspect of privacy, people will continue to steal, borrow and monetize this valuable asset until it no longer holds meaning," says Herberger. "Delay of national privacy legislation is directly related to financial loss and national economic competitiveness. Financial institutions will be the great bearers of these costs as consumers demand to have their institutions restitute their damages."