The US federal Government has passed the Cybersecurity Information Sharing Act (CISA).
Among its provisions
The bill includes a provision that enables the federal government to prosecute overseas cybercriminals who profit from financial information that has been stolen from Americans. And the law requires the federal DHS (Department of Homeland Security) to develop a process – a portal, in other words – for the federal government to accept cyber threat indicators and countermeasures from entities in an electronic format; and distribute such indicators and countermeasures. The Bill was sponsored by the Senate’s Republican Select Committee on Intelligence (SSCI) Chairman Richard Burr. He said: “This landmark bill finally better secures Americans private information from foreign hackers. American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks. This legislation gives the government and US companies new voluntary collaborative tools so that they can work together against hackers that have been all too successful at stealing the personal information of millions of Americans for years. I thank Vice Chairman Feinstein for her tenacity in working to get this bill through the Senate.”
Comments
Rafael Laguna, CEO of Open-Xchange, said: “Aside from its exploitatively vague definitions of “cybersecurity threat” and “threat indicators” the most troubling aspect of the CISA is the degree to which it utterly disregards user privacy in favour of security: information can be shared “notwithstanding any other provision of law”. The stipulation that states that companies may not pass on data that they “know at the time of sharing” to contain sensitive information is simply another get-out clause for companies looking for legal cover from a security breach. Gallingly, many cybersecurity firms (who make a business on the back of being experts on the topic!) have rejected the idea that information sharing is an effective way of stopping cyberattacks. The passing of CISA is another disappointing response to the pressing issue of finding the right balance between privacy and security.”
French Caldwell, chief evangelist at GRC software company, MetricStream, said that CISA has become a personal issue for a lot of people. “Libertarians are strongly opposed and it’s easy to sympathise with that position. The libertarian argument is though that, even with the privacy protections, this bill inherently increases government surveillance powers, and how do we know for certain that the government will not abuse the increased surveillance? Once the door is opened to this type of information sharing, there may be a risk over time of even more surveillance powers being granted to the government. For instance, might sharing go from voluntary to mandatory over time?
“In talking to those security people on the front lines at banks, electrical utilities, energy companies, and hospitals, I have learned that they are fighting a war. Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are attacking companies to steal intellectual property and probe for weaknesses in critical infrastructure. In the aggregate, these cyberattacks amount to cyberwar.
“Is this type of surveillance absolutely necessary? The answer may vary industry to industry. The sharing of information is voluntary. Businesses are not required to do so, but there are clear benefits to doing so. Entities who share will have access to the pooled cyberthreat intelligence of the system that is maintained by DHS. Participants can also gain access to classified and unclassified threat analysis from the federal government. There are significant privacy protections in the legislation, and participants also will enjoy liability protections from anti-trust rules.”
And Yorgen Edholm, CEO of Accellion said: “Passage of the Cybersecurity Information Sharing Act isn’t just troubling from a privacy perspective, it’s troubling from an economic perspective as well. CISA is just the latest in a long list of legislations that are stifling trans-Atlantic information sharing, including the recent invalidation of Safe Harbor agreements. If lawmakers continue to discourage international organisations from doing business with US firms, while also intruding on the privacy rights of citizens, they run the risk of jeopardising the health of the technology sector.”
