On Tuesday, the U.S. Senate overwhelmingly passed the Cybersecurity Information Sharing Act (CISA), which, in short, is designed to fight the growing problem of corporate data breaches by allowing individual companies to share their cybersecurity threat data with the government, which would theoretically use it to defend the target company and others facing similar attacks.
“The (CISA) would make it easier for public and private sector entities to share cyber threat information in order to lessen the theft of trade and national security secrets as well as the compromise of personal information,” Senator Susan Collins (R-ME) explained on the Senate floor. “It would eliminate some of the legal and economic barriers impeding voluntary two-way information sharing between private industry and government. It is a modest but essential first step to protect networks and their information.”
While the bill, introduced by Sens. Richard Burr (R-NC) and Dianne Feinstein (D-CA), is not yet law — the U.S. House’s Protecting Cyber Networks Act (PCNA), bipartisan legislation that similarly allows companies liability protections when sharing narrowly defined cyber threat indicators with the FBI and Secret Service was also passed this year. It is likely that a combined version of the two bills will eventually become law once Congress resolves the differences of the two.
“American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target and Sony hacks,” Burr said in a statement.
Both bills were not without a fair share of critics. Privacy advocates warn the bill is a veiled attempt at consumer surveillance. The Computer and Communications Industry Association (CCIA), for example, stated it “is unable to support CISA as it is currently written. CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.”
Tech giants such as Apple also opposed the bill on the grounds of protecting their customers’ privacy.
Impact on Security Directors
Despite the objections, the bill is one step closer to law; and thus, it is important for security departments and their integrators to know what reporting requirements/mechanisms may be in store in the future.
In theory, the information to be shared would be limited to “threat indicators” — data such as technical information about the type of malware used, internet addresses and origins of the attack, the ways that attackers covered their tracks, etc. Presumably, the government can use this information to stymie further attacks on other companies and the government itself.
The bill “requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions; and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat.”
It also exempts from antitrust laws those private companies that, for cybersecurity purposes, "exchange or provide cyber threat indicators or assistance relating to the prevention, investigation or mitigation of cybersecurity threats."
CISA does not mandate or compel any private entity or individual to do anything other than take the privacy-related actions necessary if they do choose to share the information. “Companies have the choice as to whether they want to participate in CISA’s cyber threat information sharing process, but all privacy protections are mandatory,” Burr said in a statement.
Thus, the Senate version of this law would be completely voluntary, as a section of the bill “prohibits this Act from being construed to permit the federal government to require an entity to provide information to the federal government.”
Questions About Effectiveness
Beyond the privacy concerns, industry analysts are unsure whether such a voluntary law would truly be effective in stemming the amount of data breaches.
“Rather than encouraging companies to increase their own cybersecurity standards, CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network,” wrote a large group of cybersecurity and cyberlaw professors in an open letter to the Senate opposing the Act. “Security threat information sharing is already quite robust.”
In fact, social media companies like Facebook, and entire markets such as the financial sector, already have similar cybersecurity information sharing conglomerates or initiatives.
“From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today,” writes security expert Brian Krebs, in his blog. “Far too many organizations have trouble seeing the value of investing in cybersecurity until it is too late. Even then, breached entities will often seek out shiny new technologies or products that they perceive will help detect and prevent the next breach, while overlooking the value of investing in talented cybersecurity professionals.
"The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches,” Krebs added. “Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.”
Paul Rothman is Editor-in-Chief of Security Dealer & Integrator (SD&I) magazine (www.secdealer.com).
