With the Senate’s opinion and vote solidified on the Cyber Information Sharing Act (CISA), most everyone weighed in with their thoughts via press release, Twitter and broad forum discussions.
Although the overwhelmingly supportive vote, 74-21, clearly demonstrated government satisfaction with the bill, privacy advocates waved their dissent freely before, during and after the vote. Even now, they’re continuing to voice dissatisfaction as the bill moves to the House of Representatives for a final look.
Saying the privacy of Americans was “greatly eroded” through CISA’s passage, the Center for Democracy and Technology (CDT) wrote in a press release that “the extent to which the bill would improve cybersecurity is unclear.”
Of primary concern to the CDT and other privacy advocates is information being shared among government agencies, including the National Security Agency (NSA) and law enforcement. Following Edward Snowden’s less than rosy leaks surrounding the NSA and its surveillance practices, private companies have become hyper-aware of government oversight. In an effort to regain users’ trust, companies voice their differing opinions, and in some cases, use privacy and security as a marketing move. Apple’s decision to encrypt its devices by default is one example of companies’ skepticism producing tangible results. Transparency reports about requests for user data is another.
With these privacy concerns in mind, Senator Al Franken (D-Minn.) introduced an amendment to CISA that would narrow the definitions of “cybersecurity threat” and “cyber threat indicator.” This much heralded amendment, which privacy advocates saw as limiting some of the bill’s oversights, failed to pass on Tuesday with a vote of 35-60.
In fact, most amendments weren’t agreed to, aside from Senator Jeff Flake’s (R-Ariz.) proposal to terminate the CISA’s provisions after 10 years.
Beyond the privacy concerns, at least one CSO, Justin Harvey of Fidelis Cybersecurity, said information sharing won’t provide the safety and security the government wants.
“Encouraging companies to share their cyber threat intelligence indicators is not the answer,” Harvey wrote in prepared emailed comments to SCMagazine.com. “They can already do this with DHS and the US-CERT. Catching attackers with threat intelligence is only effective if someone else has seen the threat before. Many of today’s attacks are signature-less, which means they’ve never been seen before.”
The reality of these criticisms doesn’t necessarily indicate there aren’t legitimate bill supporters beyond federal legislators.
The Health Information Trust Alliance, or HITRUST, for instance, “applauded” the Senate’s vote and wrote in an emailed press release its support for CISA relies on the fact that it would provide “legal certainty that companies sharing information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time.”
Facebook, too, reportedly supports the legislation.
Nonetheless, conversations and debates will undoubtedly continue until a final CISA decision is made in the House.