The U.S. Senate voted overwhelmingly in favor of the controversial Cybersecurity Information Sharing Act (CISA)...
Tuesday evening. The bill passed on a vote of 74 to 21, and now moves on to be reconciled with the Protecting Cyber Networks Act, which had passed the House of Representatives in April.
According to Ari Schwartz, current managing director of cybersecurity services for Baltimore-based Venable LLP and former White House senior director for cybersecurity, CISA was bound to pass because of trade association support.
"It was a strong statement that folks are in favor of getting something done in the space," Schwartz said. "There were over 50 trade associations lobbying in favor of it. So while there has been a lot of tension over the last few days with those who oppose it, there has been a sustained effort in favor over the past year by the trade associations and led by the U.S. Chamber of Commerce."
Justin Harvey, CSO of Boston-based Fidelis Cybersecurity, said he never believed it was obvious who was pushing this legislation or why it was necessary.
"I don't believe the bill is doing enough to ensure we stay ahead of the hackers," Harvey said. "Encouraging companies to share their cyber threat intelligence indicators is not the answer. They can already do this with the Department of Homeland Security and the U.S.-CERT [United States Computer Emergency Readiness Team]. Catching attackers with threat intelligence is only effective if someone else has seen the threat before. Many of today's attacks are signatureless, which means they've never been seen before."
Schwartz said that telecoms, retail companies, energy companies and transportation companies have all voiced support, because although there are ways to share threat intelligence, the worry is in legal liability.
"It's not the technology that's the problem," Schwartz said. "It is the concern that they have liability in sharing the information. Some sectors have been able to do it effectively, but some sectors have specific laws that stop them from being able to do it."
CISA has been criticized by experts for having "significant problems," most of which revolve around the bill being overly broad when it comes to defining what information should be shared, how the government will handle the data, which government agencies get access and how to balance liability protections with accountability.
Geoff Webb, vice president at Houston-based NetIQ, said the type of information shared is critical.
"If, as is suggested by critics, the CISA allows intelligence and law enforcement to essentially harvest large amounts of otherwise private and protected data as part of 'information sharing,' then this legislation could be used as a workaround to gather data on citizens that would otherwise not be available," Webb said. "So while the intention could be to share data on the attack, the actual process of sharing may simply further erode our individual, personal privacy and protections."
Paul Kurtz, CEO of TruSTAR Technology LLC, based in Arlington, Va., said it may be up to the infosec industry to create the infrastructure to preserve privacy while working within the framework of government legislation, such as CISA.
"This bill will provide important liability protections for companies that choose to exchange cybersecurity threat information," Kurtz said. "However, we have also heard the message loud and clear that information sharing efforts must not cost us our privacy. Now that government has played its role by removing legal obstacles to cyber incident collaboration, it is time for industry to work together to create a privacy-preserving information sharing infrastructure."
CISA will move to be reconciled with the Protecting Cyber Networks Act in the House, but Webb said any legislation that ultimately makes it to the president needs the trust of the security industry.
"What we need is an efficient, trusted and safe model for organizations, government and law enforcement to be able to share attack techniques and profiles quickly, to reduce the abilities of hackers, thieves and nation-state actors to pick off -- one by one -- organizations whose data or IP they wish to steal," Webb said. "CISA may be a good attempt, but without the trust of the industry, it will be difficult to be fully effective in the long term."
Learn more about threat intelligence sharing and the government's role.
Learn more about new threat intelligence sharing strategies.