Over the past few years, Congress made many attempts to pass cyber threat data sharing legislation. Until this year, these prior attempts had all been unsuccessful. However, in April 2015, the House of Representatives passed two versions of a threat data sharing bill, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act of 2015 (NCPAA). In October 2015, the Senate followed and passed the Cybersecurity Information Sharing Act (CISA).
The basic idea behind this legislation is that sharing cyber threat information between government and the private sector or between private sector organizations would improve cybersecurity for everyone. Rather than having everyone fight for themselves, information sharing would allow government and the private sector to have better situational awareness and be better prepared against cyber threats.
While this concept is simple, its implementation quickly becomes very complex. There are numerous legal issues that make data sharing difficult. Moreover, the greatest challenge, as was seen in the numerous prior attempts to pass legislation, is to ensure that civil liberties and privacy are protected.
Private sector entities have long voiced concerns about information sharing. Absent legislation that offers protections, businesses are hesitant to share information for a variety of reasons, including the fear that they would be running afoul of existing privacy laws and anti-trust laws, or that any disclosed information would be used against them in shareholder lawsuits or regulatory enforcement actions.
CISA, as well as the House-passed PCNA and NCPAA, alleviate businesses' concerns by establishing legal liability protection for sharing or receiving cyber threat information for a cybersecurity purpose. Pursuant to CISA, "no cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures."
CISA also tries to alleviate concerns about civil liberties and individual privacy violations through multiple ways. CISA defines the type of information that may be shared and the purposes for which that information may be used. CISA also requires a sharing entity to assess whether the information it shares "contains any information that the entity knows at the time of sharing to be personal information or information that identifies a specific person not directly related to a cybersecurity threat and remove such information." Moreover, once passed into law, the Attorney General will have to issue guidelines on privacy and civil liberties that will govern the receipt, retention, use, and dissemination of cyber threat indicators by the Federal government.
Both the House versions and the Senate version of the legislation passed with widespread support among lawmakers. In their view, these versions address the fundamental concerns about data sharing in a better way than any previous bills. Nevertheless, staunch opposition to this legislation remains. Critics of the legislation say it still does not do enough to protect privacy due to its broad immunity clauses and vague definitions. Furthermore, doubt exists about the ability of the legislation to protect against the kinds of data breaches it is intended to prevent.
Many critics of CISA not only cite liability and privacy concerns, but also say the legislation would not provide better cybersecurity. Some technologists argue CISA focuses on information that is beyond what is needed for cybersecurity. Indeed, greater information sharing would not have prevented data breaches like the ones experienced by Sony or the Office of Personnel Management.
Even if data sharing would be helpful in some cases, CISA is clear in that such sharing is voluntary. This means private sector organizations are not required to share information and may well opt not to do so. Some companies, such as Apple, Inc., for example, oppose CISA on the basis that their customers are against it. Apple believes it has a competitive advantage by making customer privacy a top priority. If not everyone participates in data sharing, the efficacy of the law may be further eroded.
Some also see cyber threat sharing legislations as superfluous. Numerous information sharing programs already exist. The Department of Homeland Security shares information with the private sector through the National Cybersecurity and Communications Integration Center (NCICC). There are also information sharing groups such as the Information Sharing and Analysis Centers (ISACs) or the Information Sharing and Analysis Organizations (ISAOs) where members share cyber threat information.
Despite the enduring critiques of the PCNA, the NCPAA and CISA, it is expected that a conference committee will produce final legislation that will pass both the House and the Senate. Moreover, the White House has endorsed [PDF] CISA, meaning that a cyber threat information sharing law is expected to be enacted relatively soon. Before it does become law, opponents of CISA are hopeful that some of their critiques may be addressed in conference committee. Furthermore, once the law passes, great care and attention must be given to the development of the guidelines for data sharing and civil liberties and privacy protections.
Given that cyber threat sharing legislation will pass, the question becomes: What will Congress do next? Even supporters of CISA already acknowledge that threat data sharing is only a first and relatively small step towards better cybersecurity. Congress must turn its attention to other cybersecurity issues. Improving critical infrastructure protection would be a wise progression given the catastrophic effects a successful cyber-attack on the power grid or a water utility would have.
One major reason for the overwhelming lawmaker support of CISA is the increased sense of urgency to do something in light of the scope and frequency of cyber-attacks. Regardless of where Congress chooses to go next, it should not let up on this urgency of protecting against cyber threats. Congress and all other stakeholders must work hard to produce sensible and effective laws that will lead to greater cybersecurity.
Markus Rauschecker is the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security as well as an adjunct faculty at University of Maryland Francis King Carey School of Law.
Suggested citation: Markus Rauschecker, Despite flaws, CISA represents progress for federal government action on cybersecurity, JURIST - Academic Commentary, December 1, 2015, http://jurist.org/forum/2015/11/markus-rauschecker-cisa-cybersecurity.php.
This article was prepared for publication by Alix Ware, an assistant Editor for JURIST Commentary. Please direct any questions or comments to her at firstname.lastname@example.org