Over the past couple of weeks, political blogs have been abuzz over rumors that Senate Majority Leader Mitch McConnell (R-Ky) would be moving to vote on the Cybersecurity Information Sharing Act before the summer recess (which starts August 8). Advocates of the bill panicked about whether the vote could be hurried and whether it would have enough support when it hit the floor, and opponents were considering any and all stall tactics to prevent it from being voted on until significant changes have been made. While CISA has a complicated legislative history already, the recent flurry of debate has people wondering what exactly the bill is pushing for and why it’s become so divisive for lawmakers.
What is CISA?
The Cybersecurity Information Sharing Act (a.k.a. CISA) is a proposed law that aims to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” More specifically, the law would allow sharing of Internet traffic information between technology/manufacturing companies and the government. It was introduced to Congress in July 2014 and passed the Senate Intelligence Committee, but it didn’t get a full Senate vote before the session ended. It was reintroduced as an amendment to the National Defense Authorization Act in March 2015 as part of the next congressional session, but was blocked. Last month, Senate Majority Leader Mitch McConnell has stated that he will reintroduce the bill in the hopes of bringing it to a senate-wide vote this month.
In practice, the bill would create a system for federal agencies to receive threat information from private companies and would give legal immunity from privacy and antitrust laws to any companies that provide cyber threat information. Specifically, it would require the director of national intelligence to increase sharing of cyber threat information to the private sector, authorize organizations to monitor their networks for cyber threats and voluntarily share that information with the government, put liability protections in place for organizations that do, and require procedures around the government’s ability to use the data it receives.
Who’s for it?
The bill has gotten support from industry advocacy groups and trade associations like the National Cable & Telecommunications Association and the BSA (The Software Alliance), as well as the US Chamber of Commerce and other high-profile groups. Their general claim is that private companies have had no incentive for sharing information on cyberthreats they encounter with the government, which has limited the government’s ability to prepare for and assess cybersecurity risks. The business community strongly believes that without providing for some kind of immunity for businesses, companies won’t take the legal risk of handing information over to the government. Proponents of CISA also point to the provision that requires the government to have procedures and limitations around the use of the data it receives, arguing that PII and other personal data not considered relevant to a cyberthreat will be protected sufficiently under CISA. The questions up for debate, though, are how and when information will be deemed usable and how much immunity will be granted.
Who’s against it?
Critics of CISA are mostly privacy advocates, like the ACLU and the Electronic Frontier Foundation, concerned about what the government will do with the data given to them by private companies. Opponents worry that the bill will strip away rights provided in other privacy laws, like the Stored Communications Act, and will increase government surveillance to funnel mass amounts of personal data on American citizens to the NSA. More recently, the Department of Homeland Security issued an objection to the bill this week, saying that the system for information-sharing proposed by the bill could potentially delay responses to the cyber threats it’s meant to address, since threats will no longer be routed through the DHS. Even those who will compromise privacy for security are questioning the legitimacy of CISA as a protective measure, arguing that CISA will create more false positives rather than address real threats.
What’s been made clear over the past two years is that there are significant amendments to be made to CISA before critics will feel comfortable with the data protections it provides. If the vote is rushed, both sides of the debate worry that there won’t be sufficient time for debate and addition of amendments that will make the bill more palatable (and more likely to pass).