Weeks ago, the Senate passed the Cybersecurity Information Sharing Act (CISA) by a vote of 74 to 21. It took the Senate more than four years to pass the controversial bill.
In a nutshell, CISA requires government agencies, corporations and other organizations to share information with one another that could potentially help identify cybercriminals and potential threats. The idea is that the sharing of this information will help these groups be better equipped to protect and defend themselves. The Senate rejected amendments, including one addressing concerns that companies could give the government personal information about their customers.
CISA has been controversial from the start, primarily because of privacy concerns. Fight for the Future says the legislation would "grant blanket immunity for American companies to participate in government mass surveillance programs like PRISM, without meaningfully addressing any of the fundamental cyber security problems we face in the U.S."
Many of the privacy concerns stem from the bill’s lack of clarity. It does not clearly define how cyberthreat information is going to be shared, nor does it outline how that information will be managed and disseminated.
What happens to your company privacy policy?
One concern CIOs and other business people have expressed is that their company privacy policies could be usurped by CISA. For businesses, CISA may mean added complexities when it comes to user privacy. Some say it essentially means that customers of a business will no longer be able to rely on their privacy policy. At this point, it is also unclear to what extent companies will be required to anonymize the information that they share with other entities.
Debate has also centered on whether the bill will even work considering the speed at which cyberattacks come at us today. Many argue that cybercrime makes the sharing of information across companies effectively useless because in many cases by the time it happens, it is too late for corporations to defend themselves. Critics also say that it’s unlikely that CISA would have prevented some of the most damaging data breaches that have taken place in recent months.
Progress despite controversy?
Many, however, view the fact that the Senate passed a cybersecurity bill at all as a success.
"This is a good bill. It is a first step,” Sen. Dianne Feinstein said recently. “It's not going to prevent all cyberattacks or penetrations, but it will allow companies to share information about the cyber threats they see and the defensive measures to implement to protect their networks.”
Next steps
The Senate bill will now have to be reconciled with two bills similar to CISA that the House passed in April, the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act. Ultimately, a combination of the three pieces of legislature will make its way to the White House. Then President Obama will decide whether or not to sign the bill into law, though indications are that he is willing to sign it, despite protests from tech companies and privacy advocates.
