agsandrew - Fotolia

Get started Bring yourself up to speed with our introductory content.

How will the Cybersecurity Information Sharing Act affect enterprises?

The Cybersecurity Information Sharing Act has ruffled some feathers in the security industry. What is the CISA and what is the debate around it?

There has been some controversy around the Cybersecurity Information Sharing Act, and it seems some security professionals are vehemently opposed to it. Could you explain what the CISA is, and what it aims to do in the security industry?

The Cybersecurity Information Sharing Act (CISA), not to be confused with the CISA certification from ISACA, is a bill under consideration that is intended to improve information sharing between private companies and the U.S. government about cyber threats. Opponents of the act believe that it overreaches privacy standards. Many have echoed their concern that the federal government, although with good intentions, either cannot be trusted or doesn't have the wherewithal to maintain proper security and privacy of personal information gathered.

The purpose of the Cybersecurity Information Sharing Act is to:

  • Identify a cybersecurity purpose;
  • Identify the source of a cybersecurity threat or security vulnerability;
  • Identify cybersecurity threats involving the use of an information system by a foreign adversary or terrorist;
  • Prevent or mitigate an imminent threat of death, serious bodily harm or serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
  • Prevent or mitigate a serious threat to a minor, including sexual exploitation and threats to physical safety; and
  • Prevent, investigate, disrupt, or prosecute an offense arising out of a threat such as serious violent felonies or relating to fraud and identity theft.

The purpose of CISA appears to be justified, but some critics are concerned that the information shared between the U.S. government and private companies includes personal information of noncriminal entities.

The Cybersecurity Information Sharing Act states that cybersecurity intelligence data will be gathered "in a manner that protects from unauthorized use or disclosure any cyber threat indicators that may contain personal information of or identifying specific persons," according to the bill. This means that this data will be shared between private entities and government agencies. Private entities are, "any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof. [It also] includes a State, tribal, or local government performing electric utility services," the bill reads.

There are other provisions that require federal agencies to protect data from unauthorized access, though recent breaches by Chinese hackers bring this protection requirement into question.

There are two other House bills -- Protecting Cyber Networks Act and National Cybersecurity Protection Advancement Act -- that are very similar to CISA and it is only a matter of time that one will be signed into law.

As written, the CISA should work. In practice, it is dubious at best. Some critics believe the CISA won't work because of inherent faults in the government. That may or may not be true, but cybersecurity threats are certainly real and continuously evolving. Information sharing is only one of many facets of cybersecurity that entities need to consider in securing their environment. So the question remains: Should there be a Cybersecurity Information Sharing Act? Yes, I believe so. But are we ready for it? That's definitely still up for debate.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out what Martin Roesch of Cisco has to say about security information sharing and Ron Gula of Tenable Network Security's concern about threat intelligence sharing

Find out how private companies and government agencies are joining forces on cybersecurity information sharing

This was last published in September 2015

Dig Deeper on Data privacy issues and compliance