On Friday, the US Congress passed cybersecurity information sharing legislation after more than five years of debate. The Cybersecurity Act of 2015 (formerly the Cybersecurity Information Sharing Act, or CISA), was passed as part of the Omnibus Spending Bill.
Specifically, CISA gives companies the ability to share cybersecurity information with federal agencies, including the NSA, “notwithstanding any other provision of law:” i.e., it provides liability protection and antitrust exemption for those sharing information.
To effect this, it calls for info-sharing portals to be set up with agencies like the FBI and the Office of the Director of National Intelligence, so that companies hand information directly to law enforcement and intelligence agencies instead of going through the Department of Homeland Security and the court vetting system contained therein. And, it allows the use of specific threat data by law enforcement without specific court approval when there is a known, specific threat.
Other aspects include:
- It’s voluntary. There is no requirement to share information or to use shared information.
- It requires reasonable efforts to protect the distribution of PII unless that information is relevant to the cybersecurity purpose (e.g. the registration details of a criminal domain).
- It makes clear that shared data can be used in criminal prosecutions, but cannot be used as evidence of regulatory violations.
The legislation has been highly controversial, with detractors arguing that it could allow organizations to circumvent privacy norms and civil liberties, including the requirement for warrants when it comes to surveillance. There is no mention of warrantless wiretapping and the like as part of the bill’s language, but opponents are concerned that the language is sufficiently vague as to provide a loophole for just such snooping.
“We are deeply disappointed that Congress has passed CISA into law, despite our serious concerns that it will undermine privacy and cybersecurity,” said Robyn Greene, policy counsel at New America’s Open Technology Institute (OTI), in a statement to media. “Hopefully, the private sector, the intelligence community, and law enforcement will construe its dangerously broad provisions as narrowly as possible, so that the impact on online privacy is minimized.”
Opponents are also particularly upset that it was packaged with the Omnibus, a virtually un-vetoable, must-pass package that will provide operational funding and avoid a government shut-down for the time being. OTI, along with 50 other security experts and civil society groups, wrote to Congress in the wake of the bill’s passage, they strongly oppose the bill “because of its weak privacy protections, and opposing leadership’s choice to refuse to hold a stand-alone vote and instead force it into law as part of the must-pass omnibus spending bill.”
Sean Tierney, Morgan Stanley’s former cyber-emergency response chief and current vice president of threat intelligence at IID, has a different take. He said that CISA removes many of the main impediments to widespread cybersecurity information-sharing, while maintaining the current level of protection for personally identifiable information (PII).
“Study after study has found that fear of liability for shared information keeps organizations from fully participating in threat intelligence exchange,” he said in a blog. “For the past two years, IID has partnered with the Ponemon Institute to study this topic. Last year 55% of respondents said the potential liability of sharing keeps their companies from more fully participating in a threat intelligence exchange program. This increased to 62% of respondents in this year’s study.”
And some are in the middle when it comes to reaction, and note that the interpretation of the law will be everything. Paul Kurtz, former White House cybersecurity advisor and current CEO and co-founder of TruSTAR Technology, noted that the devil will be in the details.
"This is the first tangible demonstration of a partnership between Congress, the Administration and the private sector to address the critical need for cyber incident sharing to help protect our economy and national security,” he said, via email. “Providing liability relief for companies sharing cyber incident data amongst themselves and with the government provides a foundation on which to build a more collaborative cybersecurity defense. However, information-sharing should not have to cost us our privacy, and now it will be up to the private sector to build an infrastructure that both promotes security and preserves trust."
One thing that’s agreed upon is that there’s much more work that can be done. OTI and others are urging Congress to consider other measures in the cybersecurity space, including: Reforming the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to ensure that security researchers are able to identify and responsibly disclose vulnerabilities without fear of prosecution or civil liability; establishing a grant program that would support small businesses in implementing programs that accept and reward vulnerability reports; incentivizing businesses to practice better cyber hygiene; and creating scholarships programs for individuals in underserved communities to study computer science and software engineering.
“For over five years, the information sharing debate took up all of the air in the room when it came to cybersecurity policy,” OTI’s Greene said. “Now that it is over, we hope that Congress will finally turn its attention to passing legislative reforms that will improve cybersecurity while also respecting or even enhancing privacy. Congress should begin to work to ensure that security researchers can find and disclose vulnerabilities free from the threat of prosecution or civil liability, and create programs that will make cyber-hygiene and tech education more accessible to and achievable by individuals and businesses.”