The Cybersecurity Information Sharing Act (CISA) is a done deal. But the debate over both its security value and privacy implications isn’t. It lingers, in some cases more intense than ever.
The mere fact that it has become law is historic – there have been numerous attempts in Congress, spanning nearly a decade, to craft a bill that would enable the sharing of cyber-threat indicators among government and private-sector entities without creating liability risks for companies or jeopardizing personal privacy.
And CISA, according to its proponents, comes as close as politically possible to achieving those goals. So while they were not gloating, they were relieved and gratified after it finally passed Congress in late December, tucked inside the 2016 Omnibus Appropriations bill (pages 1,728-1,863) and re-named the “Cybersecurity Act of 2015”.
They say it offers real hope of tipping the balance in favor of the good guys in combatting everything from corporate data breaches to other online crime, economic espionage and terrorism.
To Scott Talbott, senior vice president, government relations, at the Electronic Transactions Association, the value of sharing cyber threat indicators ought to be obvious.
“The value is that everyone can be alerted to cyber threats and take precautionary countermeasures before they materialize and spread,” he said. “Before CISA, corrective measures could be taken only after the cyber threat had done its damage. CISA allows each company to serve as an early warning system to the entire economy.”
Scott Talbott, senior vice president, government relations, Electronic Transactions Association
Paul Rosenzweig, founder of Red Branch Law & Consulting and a former deputy assistant secretary for policy at the U.S. Department of Homeland Security (DHS), said complaints from opponents that CISA amounts to a surveillance bill are, “not grounded in a realistic assessment.
“Every law is capable of being abused,” he said, “but saying that CISA is a surveillance bill is like saying the law that created food stamps is an obesity bill.”
But that complaint from opponents – that CISA hands the government a major surveillance tool – remains persistent and vociferous.
“I think this bill was meant to be a surveillance bill from the start,” said Justin Harvey, CSO of Fidelis Cybersecurity, adding that he is dubious that the stated intent of the bill – to use collective intelligence to warn of potential cyber attacks and possibly stop them before they occur – will result.
More likely, he said, is that the kind of government surveillance – collection of metadata – on citizens that was being conducted by the National Security Agency (NSA) before former NSA contractor Edward Snowden exposed it, will return.
Sign up for CIO Asia eNewsletters.