Whenever lawmakers propose new bills regarding privacy, cybersecurity, or the Internet in general, there is understandably scrutiny from business owners as well as the general public. You may remember SOPA (Stop Online Piracy Act), which was introduced in 2011 as a way to strengthen copyright laws and was eventually struck down due to corporate and public outcry. Or you may be more familiar with the recent issues related to Net Neutrality that brought people out in droves to preserve the Internet as it is today and ultimately led to the Federal Communications Commission ruling in favor of a free and open Internet.
Needless to say, these initiatives, and others like them, have been largely controversial and typically haven’t resulted in a law being enacted, but that hasn’t stopped lawmakers and other parties from lobbying for similar bills. The most recent example, CISA (Cybersecurity Information Sharing Act), is gaining traction in the U.S. Congress and deals with some of the same issues addressed in previous proposed bills. As you would expect, there are parties on both sides of the issue arguing for or against the initiative, but before we get to those opinions, let’s look closer at CISA and where it originated.
CISA’s Origins
The ideas that make up the CISA aren’t necessarily new, and the bill is actually the Senate’s response to a similar bill drafted in 2011 by the House of Representatives called CISPA (Cyber Intelligence Sharing and Protection Act). CISPA was, perhaps not surprisingly, a highly controversial piece of legislation that followed in the footsteps of SOPA and led to widespread public opposition. In fact, it was so unpopular with the public that the White House stated it would veto the bill if necessary. The ultimate goal of CISPA was to give the U.S. government more power to investigate cyberthreats and ensure the security of networks against potential cyberattacks. CISPA was eventually put on hold because the Senate refused to vote on it in 2013, and although the House is working to revise the bill, the Senate announced its own version with CISA in July 2014-the one currently working its way through Congress.
CISA is different from CISPA in that it puts a bit more of an emphasis on the sharing of information between corporations and the government when it comes to cyberattacks and actually has provisions specifically targeted at protecting and not disclosing personally identifiable information as well as data that has nothing to do with the cybersecurity threat in question. The goal, according to the bill’s authors, is to give private corporations a way to voluntarily share information about cybersecurity attacks with government agencies to create something of a joint effort to improve security across the board. Although there is significant support from corporations with regards to some of the provisions included in the bill and the general concepts behind them, some people view CISA as another surveillance bill that could jeopardize personal privacy.
From Early Support To Public & Corporate Backlash
Interestingly enough, there is quite a bit of support from major technology corporations in terms of putting cyberthreat information sharing legislation in place that allows corporations to voluntarily share cyberattack information with the government to help build better security solutions. In fact, BSA (The Software Alliance) sent an open letter to the U.S. Congress in September 2015 requesting that the House and Senate hasten their efforts in passing five key areas of legislation. Among acts regarding accessing data in the cloud and protecting the international data was an item specifically about sharing corporate cyberthreat information.
Prominent members of the BSA include Adobe, Apple, IBM, Microsoft, Oracle, Symantec, along with a host of other major technology organizations. With support from so many large corporations and the fact the CISA specifically addresses the requests of the BSA, at least in some part, it would seem that the bill would be well on its way to becoming law. However, there are many experts and organizations that believe some provisions in the bill leave much to be desired. Major corporations such as Dropbox and Apple (a BSA member), spoke out against CISA in its current form only a few short days before the bill went to a vote in the Senate.
The general public and tech corporations aren't the only one's speaking out against CISA. Advocacy groups, such as the Electronic Frontier Foundation, which was established with the ultimate goal of “defending civil liberties in the digital world,” are adamantly against CISA and similar bills because they could offer companies immunity clauses that allow them to share private information without penalty. There are also individuals teaming up to express their expert opinions as to why CISA isn’t the right bill for the issue of improving cybersecurity.
In an open letter sent to the Senate on October 26th, 2015, prominent professors of cybersecurity and cyberlaw from Stanford, Princeton, and Harvard, among others, wrote that the voluntary nature of corporations sharing private information with the government could negatively impact the Freedom of Information Act (release of U.S. government information to the public) while simultaneously making it easier for corporations to share private customer information with government agencies. The professors also warned that CISA would do very little to actually improve the overall corporate cyberthreat landscape and could lead to an overreliance on the government to investigate and solve cybersecurity issues.
Current Status
Many opponents of CISA agree something needs to be done to improve cybersecurity and to prevent damaging cyberattacks, but they say initiatives shouldn’t be put in place at the expense of privacy rights. That same group of professors referred to CISA as a “let’s do something” law in their letter to the Senate and expressed their concern that CISA would “weaken privacy and encourage governmental surveillance, with little upside to the public.” However, in the face of this opposition, the U.S. Senate voted 74 to 21 in support of CISA on Oct. 27, 2015. The bill is currently waiting for consideration from the House of Representatives.
The future of CISA is unclear at this time. It could pass through the House unchanged, be altered to include provisions from the House-supported CISPA bill, or be struck down altogether. Regardless of what happens with CISA, the fact that so many bills are being introduced to deal with corporate security illustrates the larger issue that corporations are facing more cyberthreats than ever before. And whether or not you support CISA and other initiatives, you may want to at least look at your overall cybersecurity approach and find ways to improve it on your own in the meantime.