Over the howls of digital-privacy advocates, the U.S. Senate yesterday (Oct. 27) passed the Cybersecurity Information Sharing Act (CISA) 74-21. The bill will be reconciled with two companion bills that have already passed the House of Representatives, and from there will go to the White House to be signed by President Obama, who supports it.
"This landmark bill finally better secures Americans' private information from foreign hackers," Senate Intelligence Committee Chairman Richard Burr, R-N.C., said after the bill's passage. "We cannot sit idle while foreign agents and criminal gangs continue to steal Americans' personal information as we saw in the Office of Personnel Management, Target, and Sony hacks."
"This bill will allow companies and the government to voluntarily share information about cyber threats and the defensive measures they can implement to protect their networks," said Senate Intelligence Committee Vice Chairman Dianne Feinstein, D-Calif. "We took every step we could to satisfy privacy concerns. ... I believe this is a very good bill that reflects consensus on a very complicated issue."
CISA will make it easier for companies and other large organizations to share information with federal government agencies so that they can better prevent and defend against large-scale cyberattacks. (Company participation is voluntary, not mandatory.) But it also means that your private personal data — your name, address, email address, even Social Security number — can be passed around among these parties much more freely than before.
CISA's advocates say the bill is necessary because at the moment, any company coming under cyberattack can't share all the relevant data with other companies or federal agencies without running afoul of privacy and antitrust laws. CISA grants companies immunity from prosecution or civil action resulting from violations of those laws, as long as the information is tied to a "cyber threat indicator."
"Eighty-five percent of America's critical cyber infrastructure is owned and operated by industry," said the U.S. Chamber of Commerce in an FAQ on the bill posted before its passage. "It is critical for industry to have real-time situational awareness about potential threats and access to the best practices and strategies to combat such threats."
Digital-rights groups argue that CISA doesn't protect private information strongly enough and that the definition of a "cyber threat indicator" is so broad that it could mean almost anything. Some groups even argue that the legislation is secretly meant to increase government surveillance, not to strengthen America's cyberdefenses. The bill originated in the Senate Intelligence Committee, and not the Banking, Commerce, Homeland Security or Judicial committees.
"This vote will go down in history as the moment that lawmakers decided not only what sort of Internet our children and our children's children will have, but what sort of world they will live in," said Evan Greer of digital-rights group Fight for the Future. "Every senator who voted for CISA has voted for a world without freedom of expression, a world without true democracy, a world without basic human rights."
But the bill does funnel all shared information through the Department of Homeland Security, which will be ordered to strip out as much personally identifiable information as it can before passing it on to other agencies. DHS is regarded as having pretty strict privacy rules, and a "manager's amendment" added to CISA before passage clarified DHS's central role.
A counter-amendment that would have let companies share private information directly with the FBI or Secret Service, without passing through DHS, was defeated after the White House hinted it might withdraw support from CISA if the amendment was included. Five amendments that would have worked in the other direction, boosting privacy protections and cutting back the immunity protections for companies, were also shot down.
The role of the DHS is the biggest obstacle to reconciling the Senate's bill with the companion House bills, which permit more direct communication between companies and other federal agencies. Sen. Burr told The Hill yesterday that the reconciliation process would probably drag into 2016.
"You saw how difficult it was and how technical this can be," Burr said. "We're going to move at a very slow pace."
The privacy-boosting manager's amendment not only secured the White House's support, but may have lessened some of the opposition that CISA faces from online companies — which, despite assertions from privacy advocates, was never that strong in the first place.
The Computer & Communications Industry Association (CCIA), which includes Amazon, Facebook, Google and Yahoo among its members, opposed the unedited version of the bill, but seemed more receptive to the amended version. (Apple came out strongly against CISA on its own, while Facebook, Google and Yahoo stayed neutral.)
"People like to have clarity when they're doing this kind of sharing," CCIA policy lawyer Bijan Madhani told The Hill. "Right now information gets shared, but it's sort of less structured."
Two experts from the information-security industry were similarly ambivalent.
"CISA is not the worst thing ever, in the sense that it means well," Adam Kujawa, head of malware intelligence at Malwarebytes Labs, told Tom's Guide.
But "a bill like this should never just pass for the sake of passing," he added. "If that happens, we are dealing with another PATRIOT Act, something which was rushed out the door because of outcry and has been used plenty of times for both the benefit and detriment of various parties."
"Information sharing is a good practice that should be facilitated, but not mandated," said Fred Kost, senior vice president at cloud-security provider HyTrust. "The bill seems like an attempt to address the wave of major attacks seen in 2015, yet doesn't address core issues such as requiring encryption and data protection."