Congress Makes New Attempt at Cybersecurity Legislation

How Heartbleed Is Changing Security

Cybersecurity has made its way back into the halls of Congress. As we’ve seen in the past, cybersecurity has been the victim of the polarized partisanship that has plagued just about every other issue over the past four or five years, and to be honest, I don’t have high hopes now, especially since the Cybersecurity Information Sharing Act (CISA) is already being called controversial. But the Act passed through the Senate Intelligence Committee with a bipartisan 12-3 vote. It is the counterpart to the House’s Cyber Intelligence Sharing and Protection Act (CISPA). CISPA, if you recall, was not well received by virtually anyone because of privacy concerns. And that looks to be the concern with CISA. Add to that the concerns brought on by NSA activities, and it’s easier to understand why many are wary of this new legislation. As Tom Cross, director of security research at Lancope, pointed out in an email to me:

The controversy over CISA is exacerbated by the extreme distrust that recent events have engendered between the national security world and the privacy community. On the one hand, the sort of intelligence sharing that CISA seems, on its face, to authorize is extremely important and it needs to happen, but on the other hand, it’s not clear why new legislation would be needed to authorize it – it’s already legal. Therefore, many people suspect that the purpose of pushing for new legislation is to authorize some secret program that isn’t obvious from the law’s text.

As I read over the main points of CISA, I don’t see why there would be controversy – it encourages better security practices all around. But not everyone agrees, as InformationWeek pointed out:

Privacy groups, however, contend that the legislation does not do enough to protect private information. In a letter sent last month to [Sen. Dianne] Feinstein and [Sen. Saxby] Chambliss, the American Civil Liberties Union, the Center for Democracy and Technology, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and more than a dozen other advocacy groups warned that CISA ignores the outcry over the revelations about the scope of NSA data gathering.

“Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA,” the letter said. “CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cyber security legislation the Senate last considered.”

I have no illusions that CISA is perfect or about its privacy controls. I also think that the time has come for all of us to realize that privacy in 2014 and beyond doesn’t mean what it did in 2004. It’s a cyberworld and we need to learn to live in it and create laws to protect it. At least CISA takes steps to improve cybersecurity and the sharing of cyber intelligence. I agree with the comment that Anthony DiBello, director, strategic partnerships at Guidance Software, made in an email to me:

Regarding the privacy concerns, I believe it is wise not to be overly prescriptive in the CISA, but instead to point to a separate guideline regarding privacy protections, with control to review and update regularly. This ensures CISA can remain relevant even as the technology used to support it changes over the years.