In October, the U.S. Senate passed the Cybersecurity Information Sharing Act by an overwhelming majority -- 72...
to 21, with five Senators not voting -- and it appears to be on its way to becoming the law of the land. Many technology companies and privacy advocates are concerned about how CISA may force private companies to share customer data and communications with the federal government for frivolous reasons. What does this mean for enterprise information security programs?
Cybersecurity Information Sharing Act overview
The Cybersecurity Information Sharing Act, or CISA, sparked a huge controversy while it was debated earlier this year. Privacy advocates and some corporate interests worried it would facilitate the unrestricted sharing of information between corporations and the federal government. They were concerned the CISA did not contain enough personal privacy protections or restrictions on how the government would use information collected under the program.
As it currently stands, CISA is awaiting completion of the reconciliation process. The Senate passed the Cybersecurity Information Sharing Act while the House of Representatives passed two companion bills: the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015. Congressional leadership must now meet to combine these bills into a single law that will be presented to President Obama for signature. Experts think this will occur in early 2016.
The stated purpose of the law, according to its proponents, is to allow companies and government agencies to share information with each other as they investigate cyberattacks. Currently, a variety of regulatory frameworks impede this sharing. For example, a hospital that comes under attack might be prevented from sharing information with government agencies due to restrictions of the Health Insurance Portability and Accountability Act.
CISA's impact on enterprise security
While many provisions of CISA may be modified during this reconciliation process, there is good news for enterprise security professionals. No matter how the privacy issues sort themselves out, there won't be much impact on enterprise security requirements. One key point about CISA is it does not impose any mandatory reporting requirements on private organizations. While it does create a framework for sharing information with the government, any such sharing is completely voluntary for participating organizations.
Organizations that intend to participate in this data sharing program may wish to use this opportunity to take stock of their privacy practices. Customers will inevitably be concerned about how the organization shares information with the government and will want assurances that personally identifiable information will be removed before information is shared. While the final version of the Cybersecurity Information Sharing Act will likely contain some restrictions on how the government uses personal information it receives, companies would be well-served to remove any such information prior to sharing it with government agencies.
Companies seeking to perform this evaluation might select a recent security investigation to use as a template. Look at the information collected during that incident and identify any information sources that might be shared with the government under CISA in similar future investigations. What personal information exists in those data sources? Is it possible to programmatically remove that information while retaining the usefulness of the data in a security investigation?
The Cybersecurity Information Sharing Act will likely bring significant changes to the sharing of security information between government agencies and the private sector. As the bill approaches the president's desk for signature, enterprise security professionals should begin discussing what information they might share under CISA and how they will protect the privacy of personal information contained within those records.
Learn more about the debate around how CISA will affect enterprises.
Find out how to stay compliant after the end of Safe Harbor.
Learn more about cybersecurity bills in government.