The Cybersecurity Information Sharing Act pits privacy-focused consumer advocates against government efforts to open the door to information sharing.
Controversial legislation aimed at allowing companies to share cyber-attack information with government agencies continues to attract opposition, pitting privacy advocates and security experts against non-technical businesses and government agencies.
On Oct. 22, the Cybersecurity Information Sharing Act of 2015 (Senate Bill 754) advanced through the legislative process, with votes expected next week on the bill's proposed amendments. The bill promises liability protection for companies that share information about attacks with specific government agencies, but privacy advocates have criticized the legislation and proposed amendments as empowering surveillance and increasing the reach of the controversial Computer Fraud and Abuse Act.
"CISA is fundamentally flawed," Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, stated in a blog post on Oct. 22. "The bill's broad immunity clauses, vague definitions, and aggressive spying powers combine to make the bill a surveillance bill in disguise."
The bill, originally created by the bi-partisan chairs of the Senate Intelligence Committee, is legislators' latest attempt to create an information-sharing framework. However, security experts have argued that the bill's language could give the National Security Agency increased capabilities to collect information on U.S. citizens and allow defenders to take steps that could impact Internet infrastructure, without making the Internet appreciably more secure.
The debate underscores that privacy has become a major concern as the lessons learned from documents leaked by former NSA contractor Edward Snowden sink into the public consciousness.
Many businesses support the bill. In particular, the bill's provisions for protecting companies against lawsuits for providing data under the auspices of the act gained support from organizations representing retailers, the food service and grocery industry, health care management providers, insurance companies and physical security firms. In a letter to the U.S. Senate, the groups supported CISA and an additional amendment proposed by Senator Tom Cotton, R-Ark., which would eliminate liability for sharing information with the FBI and the Secret Service.
"A major barrier that prevents the business community from working together to combat these unprecedented attacks is the risk of costly frivolous lawsuits," the groups stated in their letter to the U.S. Senate. "We believe that Congress should enact legislation that gives businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving real-time threat indicators and defensive measures and taking actions to mitigate cyberattacks."
Yet most security professionals and privacy advocates are concerned that the bill gives businesses a legislative shield against lawsuits without making the Internet much safer. Seven out of eight well-known security experts did not think CISA would help defenders, according to a poll of 70 security "influencers" by the Christian Science Monitor.
Major technology companies—such as Apple, Microsoft and Twitter—had supported the information-sharing act until a grassroots effort put pressure on the companies. The campaign, led by FightForTheFuture.org, resulted in a reversal in the support for the bill by the Business Software Alliance and 23 major technology firms.
An industry organization representing technology and Internet companies—such as the Computer & Communications Industry Association—is also calling for the bill to be modified.
"CCIA is unable to support CISA as it is currently written," the group stated in mid-October. "CISA's prescribed mechanism for sharing of cyber-threat information does not sufficiently protect users' privacy or appropriately limit the permissible uses of information shared with the government."
CISA continues to be a moving target, with votes expected on a number of amendments next week. However, the fundamental point of contention—trading liability protection for information without adequate privacy controls—seems unlikely to change.