CISPA – the controversial cybersecurity bill centered on information sharing, deemed to be vague and entirely broken when it comes to civil liberties, has cleared the House and now heads to the Senate.
However, as it has be before, it may die in the Senate due to the chance of a presidential veto.
Cyber Intelligence Sharing and Protection Act (CISPA, H.R. 624) passed the House on Thursday with a tally of 248-168. The final count is important, as it provided enough votes to pass the measure itself, but not enough to override a veto, which the White House has threatened.
CISPA supporters claim that such legislation is needed due to the growing threat of cyberattack from nation states such as North Korea and China, or malicious actors acting on their own. Supporters also say that the measure would facilitate stronger protections for critical infrastructure and the public at large, due to the expectation that information sharing on such a large scale would enable a swifter response to emerging threats or outright mitigation.
Lila Kee, the Chief Product and Marketing Officer of GlobalSign and North American Energy Standards Board member, said that it’s good that the attention level is high, as the threat of cyberattack on critical infrastructure is real. “Although there are many cynics and critics, [CISPA] represents a huge step in the right direction, as it will encourage organizations to share real-time information about cyberthreats with the government and each other, ultimately leading to the exchange of best practices and standards on how best to protect critical assets.”
In her statement, Kee added that that while it’s important to take the security of critical infrastructure seriously, effective security standards and baselines must also be established.
“Otherwise the thousands of interconnected entities making up the grid will be left to guess at how to best protect their respective sections; we all know that when it comes to cybersecurity, guessing is not much of a strategy.”
But it’s the information sharing in CISPA that’s caused the most complaints, in addition to the lack of actual mandates for new security requirements for critical infrastructure.
“CISPA permits companies, notwithstanding any law, to share with the government cyber threat information that is derived from users’ Internet communications without companies first taking reasonable steps to remove personally identifiable information that is not necessary to describe the threat,” said Greg Nojeim, Director of the Center for Democracy and Technology’s Project on Freedom, Security & Technology.
“This threatens privacy and is unnecessary for cybersecurity. The bill also invites companies to engage in reckless and negligent cybersecurity conduct that could injure others, and insulates that conduct against criminal and civil liability. That said, we were heartened that the House joined the White House and the authors of last year’s leading cybersecurity bill in the Senate in supporting civilian control of the government’s cybersecurity program for the private sector.”
It’s likely that CISPA will die another death in the Senate however, as it’s too similar to the previous version. Further, as was the case last time this bill hit the Senate floor, the Obama Administration has promised a veto.
“The Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill,” an OMB statement reads in part.
Like the CDT, the Obama Administration is concerned over the lack of requirements that would mandate private entities take measures to remove irrelevant personal information when sharing cybersecurity data with government agencies or other private sector organization.
“Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately,” the OMB statement added.
While both sides will keep fighting on their points, the aspect of over sharing may be irrelevant. Imperva’s Mark Kraynak put this into perspective.
“Imperva research has shown that sharing threat intelligence information across a community of organizations can dramatically improve the overall defense posture of the entire community,” Kraynak said. “From that perspective, many of the concepts in CISPA would seem to be a positive. However, many privacy organizations oppose CISPA on the grounds that it goes too far in allowing government surveillance of private individuals.”
“What’s left out of this conversation is that this type of sharing is already happening between private organizations,” he added. “And because of its proven efficacy, threat intelligence sharing is bound to continue and even grow in popularity…A starting point for this is to limit shared data to information on attacks or activity that is considered malicious by the sharing organizations, as opposed to any and all data about a given set of users. CISPA in its current form doesn’t seem to do address those issues, but the opportunity certainly is there.”
Related: White House Threatens CISPA Veto