How does sharing information more widely promote privacy and security? It seems counterintuitive, but supporters of the the Cybersecurity Information Sharing Act (CISA) say that's their goal. Privacy advocates say they are, at best, misguided.
The efforts of Apple, Google, Facebook, Twitter, Yahoo, Wikipedia, Yelp, Sprint, and most privacy organizations weren't enough yesterday to prevent the Senate from passing the measure 74-21. It now heads to a conference committee to work out differences with the version already passed by House, then heads to President Obama for his signature.
"No amount of changes in conference could fix the fact that CISA doesn't address the real cybersecurity problems that caused computer data breaches like Target and the U.S. Office of Personnel Management (OPM)," the Electronic Frontier Foundation said in a statement.
"The passage of CISA reflects the misunderstanding many lawmakers have about technology and security. Computer security engineers were against it. Academics were against it. Technology companies, including some of Silicon Valley’s biggest like Twitter and Salesforce, were against it. Civil society organizations were against it. And constituents sent over 1 million faxes opposing CISA to senators," EFF said.
But there was no dissuading lawmakers who bought the arguments put forward by intelligence agencies and the financial services and retail industries.
“Cyber-attacks present one of the most critical national and economic threats that this nation faces. It’s time to get serious about a comprehensive cybersecurity strategy, and this legislation is a step in the right direction,” Sen. Warner said. “This is a serious problem that isn’t limited to government. ... It is critical we encourage increased coordination and information sharing, between companies and the government, in order to identify and protect against real threats.”
Retailers urged quick action to bring a final version of the bill to Obama's desk.
"Cyber-attacks are not going away; in fact, hackers are only growing more sophisticated in their ability to attack businesses, institutions, and governments," said Retail Industry Leaders Association vice president Nicholas Ahrens. “Common-sense legislation that gives businesses the tools and legal protections needed to share cyber-threat indicators is a step in the right direction to thwart future attacks."
Hogwash, said the Electornic Frontier Foundation. "With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity. It chose to do the wrong thing," EFF said. "EFF will continue to fight against the bill by urging the conference committee to incorporate pro-privacy language. And we will never stop fighting for lawmakers to either understand technology or understand when they need to listen to the people who do."
Out of sync
Among its other potential problems, CISA could put the U.S. out of step with the European Union, said Mike Weston, CEO of data science consultancy Profusion.
“This is bad news. Just as the EU makes it clear that the ease with which security agencies gain access to commercially held personal data is a serious problem, the U.S. government makes it even easier for this snooping to happen," Weston said.
“The Cybersecurity Information Sharing Act will make it significantly harder for the U.S. and Europe to agree a replacement for the collapsed Safe Harbour provisions. Without assurances that European citizens’ personal data is protected, it’s hard to see how such an agreement might be reached, putting the ‘thriving transatlantic digital economy’ at risk of stuttering, or worse.”
Rick Martinez, Chair of the Privacy and Cyber Security Litigation practice at Robins Kaplan LLP, also sees trouble ahead.
“Yesterday’s Senate vote pits those who value security against those who value privacy. As a result, we see strongly divided constituencies on both sides of the debate," Martinez said in an email. "The bill allows companies to share evidence of cyberattacks with the U.S. government — critics say — without fear of lawsuits if that information also violates privacy.
"As a result, the timing of this particular legislation may end up further complicating the efforts to remedy the European Court’s recent dismantling of the U.S.-E.U. Safe Harbor framework for cross border data transfers.”