On Tuesday, the Senate passed a bill that has made a lot of people unhappy. By a vote of 74-21, an unheard-of majority these days, the Cybersecurity Information Sharing Act (CISA) was passed. As Brian Krebs described it, CISA is:
… a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime.
You might think there would be appreciation that steps were finally made toward doing something about cybersecurity and setting up what should be a more cooperative environment to better avoid breaches and other threats. Instead, there has been tremendous outcry by industry, particularly the tech industry, because of a belief that there are little to no privacy protections built into the bill. As Tech Insider explained:
To be clear, there is nothing explicitly written in CISA that requires tech companies to hand over your private messages. But opponents of CISA argue that the bill is not clear about what constitutes a cybersecurity threat. This means any kind of potential threat will be forked over to the government so that tech companies aren't liable for obscuring a potential security breach.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
As Paul Kurtz, CEO of TruSTAR Technology and former cybersecurity advisor to the White House under Clinton and Bush, told me in an email, this bill is a move in the right direction to address what he called the cybersecurity crisis, but, he added, the privacy issue can’t be ignored. The next move for Congress and industry will be to develop language that better defines what privacy is and what falls under privacy protection laws.
However, as Justin Harvey, chief security officer of Fidelis Cybersecurity, said in an email comment to me, the bill itself is short-sighted and may not fix cybersecurity-related problems as hoped. He said:
I don't believe the bill is doing enough to ensure we stay ahead of the hackers. Encouraging companies to share their cyber threat intelligence indicators is not the answer. They can already do this with DHS and the US CERT. Catching attackers with threat intelligence is only effective if someone else has seen the threat before. Many of today’s attacks are signature-less, which means they’ve never been seen before.
No, this bill isn’t perfect. And there will be changes because it hasn’t finished making its way through the legislative system. But it makes an attempt to do something to ramp up cybersecurity efforts and get entities to work together, and frankly, at this point, something is better than what we’ve been doing – and that’s virtually nothing.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba