Large-scale cyber attacks like those experienced by OPM, Sony, Anthem, and Target have intensified the ongoing criticism that the US government lacks a coherent cybersecurity policy. The Cybersecurity Information Sharing Act (CISA), which is currently awaiting a vote in the Senate, is the latest effort to develop a strategy. While there is an urgent need for better cybersecurity on the part of both the government and the private sector, CISA has become mired in controversy. Here’s what you need to know about CISA – both the good and the bad.
The Good
1. More Information Sharing
The primary goal of CISA is to increase the ability of private companies to share cybersecurity information with the government. Information sharing would allow companies to build a collective defense against cyber-attacks by having the government coordinate the dissemination of information about other attacks against other companies. It is believed that sharing this information would allow companies to better identify and patch vulnerabilities in their networks, which would likely result in increased resistance to cyber-attacks.
2. Legal Protections
Currently, companies face potential legal ramifications if they disclose the fact that they have suffered a network breach. Furthermore, businesses risk damage to their public images, loss of public confidence, and the threat of lawsuits from shareholders. Private companies have a strong disincentive against letting anyone know that they have been hacked. CISA would give businesses liability protection for information about cyber-incidents that are disclosed as part of CISA activities.
3. Better Coordination
Part of the problem with creating a coordinated response to cyber problems is that there is a degree of ambiguity about which agencies are responsible for what activities. CISA would place the majority of the responsibility for information gathering and dissemination on the Department of Homeland Security. Ideally, this would allow for more clearly and efficiently delineated processes for handling cyber events.
The Bad
1. Concerns about Privacy
Privacy advocates dislike CISA because they view certain provisions as being a backdoor method for carrying out mass surveillance. CISA would allow companies to monitor their customers’ activity and then report on anything suspicious to the government. It would also allow the government to use that information to prosecute people and would prevent any shared information from being made public through Freedom of Information Act requests. While CISA does contain sections that specifically deal with limited civil rights abuses, these are deemed insufficient by most privacy advocates.
2. Concerns about Effectiveness
Other critics have raised concerns about whether information sharing is a truly effective tactic for countering cyber-threats. Even DHS officials are unsure whether CISA would result in the government being inundated with more information than it could readily handle. If that is the case, then any value that would have been generated by sharing information would likely be countered by an inability to process it into usable intelligence.
3. May Not Address the Key Drivers of Cyber-Insecurity
Organizations such as the Electronic Frontier Foundation have also criticized CISA for failing to address the actual causes of cyber breaches. There are issues such as: not encrypting information, not updating computers and servers, and not practicing good cyber-hygiene. Problems like these will not be solved by information sharing, and the current cybersecurity legislation does not have any provisions that would address them. As a result, these critics argue, CISA would ultimately be ineffective at its primary purpose.
This is not the first time the United States government has tried to create cyber-security legislation. The 2012 Cyber-Intelligence Sharing and Protection Act (CISPA) passed in the House, but did not gain approval in the Senate. Even if CISA had Congressional backing, President Obama had planned to veto the bill due to a lack of protections for civil liberties and privacy. CISA shares many of the core provisions that prevented CISPA from becoming law, but the political climate has changed significantly since 2012. And with the recent high profile cyber attacks, there may be more political will to take action.
Luke Penn-Hall is an analyst with The Cipher Brief.