The U.S. Senate yesterday approved the Cybersecurity Information Sharing Act (CISA) by a vote of 74 to 21. The bill will now be reconciled with two similar measures that passed the House earlier this year, Reuters reports.
CISA's supporters say it will encourage private companies to share information on cyber security threats and data breaches with the government by providing them with immunity from lawsuits for doing so, though its opponents say it presents a serious threat to consumer privacy.
"The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities," the Electronic Frontier Foundation said in a statement. "The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links."
And as Krebs on Security's Brian Krebs reports, a group of professors who research and/or teach about cyber law and cyber security recently stated in an open letter to the Senate, "While recent amendments to CISA have attempted to address the significant privacy and surveillance concerns ... the fundamental problem inherent in CISA remains. In sum, it will do little, if anything to address the very real problem of flawed cybersecurity while creating conditions ripe for abuse."
Most strikingly, the professors wrote, CISA will allow sharing of previously private information with the goverment, "allowing secret and ad hoc privacy intrusion in place of meaningful consideration of the privacy concerns of all Americans."
But Frank Keating, president and CEO of the American Banking Association, yesterday said in a statement that the ABA applauds the Senate for passing CISA. "It would enhance ongoing efforts by the private sector and the federal government to better protect both our critical infrastructure and Americans from all walks of life from cyber criminals," he said. "CISA facilitates increased cyber intelligence information sharing between the private and public sectors, and strikes a balance between protecting consumer privacy and allowing information sharing on serious threats to our nation’s critical infrastructure."
Still, Keating said some of the Senate's amendments to CISA are problematic. "In particular, a provision that would change the inherent voluntary nature and structure of CISA by allowing DHS to create cybersecurity standards for critical infrastructure that would have the practical impact of regulation is unnecessary and harmful," he said.
TruSTAR Technology CEO Paul Kurtz told eSecurity Planet by email that the liability protections the bill provides to companies are important. "However, we have also heard the message loud and clear that information sharing efforts must not cost us our privacy," he said. "Now that government has played its role by removing legal obstacles to cyber incident collaboration, it is time for industry to work together to create a privacy-preserving information sharing infrastructure."
A recent eSecurity Planet article questioned whether sharing threat intelligence can thwart cyber attacks.
Photo courtesy of Shutterstock.