Cybersecurity Information Sharing Act (CISA)

Written By: CENSA Editorial Board

—

What does Cybersecurity mean?  Senate passes CISA of 2015.

The United States Senate approved S.754, the Cybersecurity Information Sharing Act of 2015 (CISA), on October 27, 2015.  This bill, along with House passage of H.R. 1560, the Protecting Cyber Networks Act (PCNA) in April of this year, soon will be reconciled and perhaps sent to the White House for enactment within months (if not weeks).  Considering that both bills were approved by wide margins (74-21 and  307-116, respectively) and given the strength of White House support for such legislation despite wide-ranging and noticeable public opposition, now is a great time to look at the legislative history of these respective proposals, and the details contained within. 

            The CISA and PCNA bills are current versions of a legislative movement that began in 2011 with the introduction of the Cyber Intelligence Sharing and Protection Act (CISPA).  The impact of strong popular opinion and consumer-driven conversations related to privacy and civil liberties’ concerns can be seen in the evolution of the title of this legislation.  The change from “Intelligence” to “Information” and the removal of the word “Protection” should lead one to believe that the strong lobbying efforts of many organizations such as the Electronic Frontier Foundation (EFF) were effective to some degree.  EFF and similarly-minded groups are concerned that proposals to increase governance of information-sharing within the cyber domain represents just more of the big-government, heavy-handed pressures on the private sector to share personally identifiable information.  Despite the change in the title, opposition to CISA and PCNA has remained strong.  Perhaps this is because each originated in the respective intelligence committees of the Senate and House of Representatives?

            Assuming the enacted version of the legislation closely aligns with the fundamentals of the originals reported out of the House and Senate, here are few focal points of interest from each of the respective bills: 

S.754 – “(Sec. 4) Permits private entities to monitor, and operate defensive measures to detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on (1) their own information systems; and (2) with authorization and written consent, the information systems of other private or government entities.”

• S.754 – “Directs DHS to ensure that there is public notice of, and access to, the DHS sharing procedures.”
• S. 754 – “(Sec. 8) Prohibits this Act from being construed to permit the federal government to require an entity to provide information to the federal government.”
• H.R. 1560 – “Prohibits defensive measures from being used to destroy, render unusable or inaccessible, or substantially harm an information system that is not owned by: (1) the operator of the defensive measure, or (2) an entity that authorizes the operation of defensive measures on its systems.”
• H.R. 1560 – “Prohibits this title from being construed to: (1) authorize the federal government to conduct surveillance of a person or allow the intelligence community to target a person for surveillance…(3) permit the federal government to require a non-federal entity to provide information to the federal government.”

As of this writing, some large very well-known US-based companies such as Verizon, AT&T, and Cisco reportedly support passage of the legislation while others – Apple, Twitter and Reddit – do not.  This alignment appears to reflect a macro-trend of support throughout the community of large IT hardware and infrastructure providers, with opposition existing and growing among more consumer-driven and public-opinion conscious entities.  In the post-Snowden environment, it is not unreasonable or illogical for public opinion to be skeptical of any cyber data-sharing proposals calling for increased sharing, in the name of security, with the same government organizations that have demonstrated weak security postures themselves. It is also not unreasonable to expect consumer-driven entities to be significantly influenced by public sentiment.

            We live in a very dynamic, complex, and technologically driven world where cyber threats are real, relatively inexpensive, and increasingly present in our daily lives.  Over the last several years the number and density of cyber-attacks have increased and resulted in corresponding losses of data, reputation, and intellectual property, causing significant embarrassment to those involved – with an ease to suggest that attackers might believe they are engaged in a video game.  To remain complacent and conduct business as usual between the private sector and government will continue to produce the same results, but CISA – with all of its issues – can encourage a healthy public-private-partnership (PPP) in a domain that ultimately is in need of effective defense and mitigation measures.  Even with such recognition, we shouldn’t expect private sector companies on either side of the CISA debate to be loud about their participation in sharing information about intrusions, exploits, or vulnerabilities – as such disclosure might affect consumer confidence in their product and then adversely affect their bottom line profits.  CISA, and PCNA for that matter, includes language stating that the government can’t require private firms to share this information.

Cybersecurity is a popularly-used term for a myriad of reasons, applications, and intentions but in the case of CISA/PCNA, the term is being utilized as both a means and a method for describing the federal government’s potential collaborative approach for preventing the loss of data from prominent US companies and governmental agencies.   Going forward, and as the final version of the legislation gets refined and put into law, it will be important for those administering and monitoring implementation of the programs that are newly required to think about the following: 

• Is there enough talent in the public and private sectors to make risk-informed decisions about defending, via implementation of operational measures, information networks that these bills outline, especially where international incidents might be caused by cyber-related mishaps and perhaps when the attribution of an attacker or malware may be mis-leading or even unknown?
• During the implementation phase of CISA/PCNA, is the PPP proposal really based on an opt-in philosophy for private sector companies, or is it instead a heavy-handed oversight program destined to fail in the court of public opinion?
• Is it really necessary to publish all of the internal government sharing procedures dictated by CISA, some of them automated for outside entities to likely exploit?

Can both the public and private participants of this partnership enjoy equal value out of a long-term relationship, with the private sector driven by security and bottom-line profits, and the government driven by safety and public opinion?