Reacting to the influx of recent, high-profile data breaches and cybersecurity attacks in the government and the private sector, the U.S. Senate earlier this week passed the controversial Cybersecurity Information Security Act of 2015 (“CISA”), S. 754. The bill, which came after more than four years of handwringing and debate, received bipartisan support and passed by an overwhelming majority vote of 74 to 21.
But the passage of CISA begs a broader, more fundamental question: Is it an effective mechanism for corporate America to fight and perhaps even prevent cybercrime? The answer isn’t so clear at this point.
First, what does CISA entail? It encourages voluntary information sharing between government agencies and the private sector about cyber threats. The idea is that such information sharing will aid companies and the government in trying to defend against cybercrime.
Second, what type of information is shared under CISA? The Senate bill does not define or identify specific information that should be shared but speaks to the exchange of “threat indicators” and other “cybersecurity threat” information. The bill does require participating organizations to remove certain personal information or information that identifies a specific person not directly related to a cybersecurity threat before it is shared under the program. “Personal information,” however, is not defined by the bill.
Third, does CISA protect companies from liability if they voluntarily participate in the program? As a general proposition, companies sharing information about “cyber threats” through the reporting mechanisms outlined in CISA would be awarded liability protection from lawsuits relating to data sharing. Specifically, the entity must share information with the Department of Homeland Security, which further disseminates the information in real-time to other federal and state law enforcement agencies, including the Federal Bureau of Investigation and the National Security Agency.
Finally, exactly how will the private sector access such “threat” information? The idea is that an information hub will be created for all “cybersecurity threat” information and then shared in some manner with participating organizations. But the specifics of how this information sharing will be managed and disseminated will be the subject of various agencies’ rule-making processes.
CISA was supported by the Department of Defense, the U.S. Chamber of Commerce, and various financial industry groups, but has drawn fierce opposition from tech companies (Google, Apple, Yahoo, and Twitter to name a few), privacy advocates, and civil liberties groups. Critics argue that the bill does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government. They caution that, under the broad language of the CISA, personally identifiable information (“PII”) and large volumes of American consumers’ personal data risk being handed over, at times unnecessarily, to government agencies for purposes other than enhancing cybersecurity.
For now, CISA heads to a conference committee that will determine the bill’s final language. The conferees will have an opportunity to address outstanding concerns and attempt to balance information sharing efforts with privacy concerns, while at the same time, add more specificity to the bill’s structure. Notably, all five pro-privacy amendments, including an amendment that would have added stricter requirements for companies to remove PII before sharing information, were defeated. And then, lawmakers will need to roll up their sleeves and reconcile CISA with two similar bills passed by the House of Representative, the National Cybersecurity Protection Advancement Act of 2015, H.R. 1731, and the Protecting Cyber Networks Act, H.R. 1560, before it makes its way to the White House.
The private sector will be watching as Congress works to craft these three pieces of legislation into a single information sharing law. Given all the moving pieces, it’s too soon to tell how useful the final legislation will be for private companies – and the benefits of participating in any such program – until the details, processes, protections and definitions are hammered out.