Yesterday, after more than a year of bickering, stalling and revising, the Senate passed its most significant cybersecurity bill to date 74–21. The Cybersecurity Information Sharing Act (CISA) is a controversial measure to encourage businesses and government agencies to share information related to malicious hackers and their methods.
Government and industry have talked about such information sharing for more than a decade. The House of Representatives passed a precursor to CISA—the Cyber Intelligence Sharing and Protection Act (CISPA)—in 2013, but the bill’s progress stopped when Pres. Barack Obama threatened a veto due to a lack of privacy protections. Sen. Dianne Feinstein (D-Calif.) introduced the first version of CISA in July 2014, but the bill didn’t gain traction until she and Sen. Richard Burr (R-N.C.) reintroduced the legislation this past March. High-profile cybersecurity breaches at Sony Pictures, Home Depot, the Office of Personnel Management and dozens of other organizations within the past year alone helped CISA make its way to the Senate floor.
CISA’s problem had been the liability and privacy concerns that companies expose themselves to when they start handing data—customer records in particular—to the government. The bill limits companies’ liability in lawsuits, but the Senate voted down measures that would have required businesses and government agencies to at least try to scrub records of data that could be used to identify individuals.
Critics point out that information sharing will do little to prevent successful cyber attacks. In fact, the federal government already has an organization for sharing cybersecurity threat information. The Department of Homeland Security established its United States Computer Emergency Readiness Team (US-CERT) in 2003 to collect, analyze, disseminate and respond to cybersecurity information shared among government agencies, the private sector and researchers. At this point CISA would aid cyber threat data collection, but it’s unclear how that information would be used. In addition, most of the bill is devoted to outlining how the federal government would share information throughout its various agencies, with little mention of how the private sector might access this data.
Several privacy advocates and businesses opposed to CISA have pointed out that sharing information about new types of malware, suspicious network activity and other cyber-threat indicators will do little to crack down on cybercrime. Such information sharing must be combined with implementing encryption, patching outdated software and otherwise bolstering cyber defenses. The Electronic Frontier Foundation summarizes this argument in its latest criticism of CISA.
Scientific American has compiled a cheat sheet to help you understand the bill, why it is controversial and what it means to you.
What is CISA’s purpose?
The bill calls for government agencies, businesses and other organizations to share information about cybersecurity threats with one another. The thinking is that this shared information will help these different groups better prepare themselves to identify and defend against hackers trying to steal information from their computers. CISA in its current form, however, does not clearly define how this information would be shared, who would manage such information or how it would be disseminated.
Who is in favor of CISA?
Co-sponsors include Sens. Dianne Feinstein (D–Calif.), Richard Burr (R–N.C.), Bill Nelson (D–Fla.) and Angus King (I–Maine). The U.S. Chamber of Commerce and the Financial Services Roundtable, an advocacy group for the U.S. financial services industry, also support the bill.
Who is against it?
Privacy advocates at organizations such as the Electronic Frontier Foundation, the Center for Democracy & Technology and Fight for the Future; tech industry groups, including the Computer & Communications Industry Association (CCIA), whose members include Facebook, Google and Yahoo; and more than a dozen cybersecurity experts, including Massachusetts Institute of Technology professor Ronald Rivest (the “R” in the RSA cryptography protocol) and Bruce Schneier, a fellow at Harvard Law School’s Berkman Center for Internet and Society. In Congress, Sens. Ron Wyden (D–Ore.), Al Franken (D–Minn.), Patrick Leahy (D–Vt.) and Dean Heller (R–Nev.) have lined up against the bill, along with presidential candidates Sens. Rand Paul (R–Ky.) and Bernie Sanders (I–Vt.).
What are the arguments against CISA?
Sen. Wyden and others have called CISA a “surveillance bill,” arguing that the National Security Agency and other government entities could use information shared by companies to spy on their customers. Critics say that the process of passing customer information to government agencies or other third parties creates new opportunities for data to be stolen. They also argue the bill fails to address the real reasons hackers are able to steal data—including outdated software, malware and unencrypted files—and that because information sharing would be voluntary, a lack of participants could undermine the program.
Did recent amendments to the bill address any of these concerns?
The Senate rejected three separate amendments that at least attempted to remove data that could identify individuals before sharing customer information when that information is not necessary to describe or identify a cyber threat.* Another amendment, however, gives participating companies legal protections from antitrust and consumer privacy lawsuits. And the government claims that information it receives will not be used to prosecute non-cyber related crimes.
What happens next?
In all likelihood CISA will soon be reconciled with two information-sharing bills that the House of Representatives passed in April. The combined bill will go to the White House, where Pres. Obama will probably sign it into law. Once that happens, the U.S. Attorney General has 180 days to finalize a plan for collecting and disseminating cyber-threat data.
*Editor's Note (10/28/15): This sentence was edited after posting to clarify that the version of CISA passed October 27 does not require participants to remove personally identifiable information.