Sharing Cybersecurity Data
The Cybersecurity Information Sharing Act is necessary, but flawed.
A little over a year ago I discussed whether or not to share cybercrime attack data in the No Jitter post, Go It Alone or Share Attack Data. Since then the Senate passed the Cybersecurity Information Sharing Act (CISA), and President Obama signed it into law in December 2015. The bill has generated considerable attention, and of course, some of it is not favorable. Critics say it really helps the federal government spy more effectively and invade our privacy. Unified communications and collaboration systems are not immune to cybercrime.What is CISA?
CISA is a U.S. federal law that states its goal is to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes." The Act supports and encourages sharing of Internet traffic information among the U.S. government and technology and manufacturing companies.
The bill's primary provisions make it easier for companies to share personal information, especially in cases of cybersecurity threats, with federal government. The bill does not require information sharing. CISA creates a mechanism for federal government agencies to receive threat information from private companies.
It includes provisions for preventing the act of sharing data known to be both personally identifiable and irrelevant to cyber security, an important point that stopped the bill's progress until it was added. Personal information that is not removed during the sharing procedure can still be used. The shared cyber threat data can be used to prosecute cybercrimes, but may also be used as evidence for crimes involving physical force. The continued storage of the data has some detractors concerned. The full bill document is available on Congress's website.Why CISA
There have been many major cybersecurity breaches, such as at Sony Pictures, Home Depot, Target, and the Federal Office of Personnel Management in 2015. These breaches accelerated the bill on the Senate floor, leading to final approval.
CISA is in response to the liability and privacy concerns when companies are exposed to cybercrime, for example, when to start sending data such as customer records to the government. The bill limits a company's liability in lawsuits. The Senate bill does not include provisions that require businesses and government agencies to attempt to clean records of data that could identify individuals, a particular concern of the critics. The article, "A Quick Guide to the Senate's Newly Passed Cybersecurity Bill," published in Scientific American, provides a helpful review of the bill and its sponsors and critics.Flaws in CISA
Opponents question CISA's value, believing it will move responsibility from private business to the government. This increases the vulnerability of personal private information. It also means distributing personal private information across seven government agencies, including the NSA and local police.
The Forbes article, "Big Decision Time For Business As Cyber Security And Privacy Collide Again "is skeptical of the effectiveness of the bill's provision. It pointed out that:
- The bill proponents cannot identify a single breach that the execution of the bill provisions would have prevented.
- "Protections extend to companies that share information with the Department of Homeland Security -- but there's the concern that DHS could then provide data to other entities like the NSA ... which aren't always reliably committed to privacy rights under any circumstances."
- "Companies may feel compelled to participate in the CISA sharing program because, if they don't, they can miss out on potentially valuable cyber threat information that their competitors -- who do participate -- openly exchange and benefit from. As such, there is at least some de facto coercion to participate." This is a concern voiced in "Busting the Biggest Myth of CISA -- That the Program is Voluntary" published in Wired.
Additional criticisms are presented in "The Many, Many, Many Flaws of CISA," posted at Slate.
The CISA bill is necessary, but flawed. Expect some changes as it is applied in the next few years. Probably the worst part of the bill is the language used, which is not always clear and easily enforceable. Some of the provisions may end up as court rather than government determinations.