Senate Committee Approves Cybersecurity Information Sharing Act, But Privacy Groups Raise Concerns Over Government Access to Personal Data on U.S Citizens
A Senate committee approved a controversial bill that aims to help companies and government share information about cyber-attacks and other threats. Privacy groups opposed the bill because it could potentially give the government access to huge trove of personal data about Americans.
The Senate Intelligence Committee approved the Cybersecurity Information Sharing Act 12-3 on Tuesday. It now goes to the full Senate for a vote. The House of Representatives passed the Cyber Intelligence Sharing and Protection Act, a counterpart bill to the Senate one, last year. If the Senate passes this bill, the two versions will be reconciled before going to the president.
“This goes further than any previous effort to create a standard framework enabling the sharing of cyber intelligence,” said Anthony Bi Bello, director of strategic partnerships at Guidance Software.
The Cybersecurity Information Sharing Act would make it easier for businesses and governments to share threat and attack information to defend against cyber-attacks. Businesses have historically struggled with information sharing because of legal barriers and the fact that many existing information sharing frameworks are vertical-specific. The bill would pave the way for businesses to get the information they need at the right time.
Supporters and Detractors
“We have never had an avenue in the past where the government would willingly share classified cyber threat information in the past, at least not at a level that would be useful to the business world as a whole,” said Adam Kujawa, head of malware intelligence at Malwarebytes. It’s not clear yet what the resulting system would look like, but “it could be very useful,” he said.
Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif) called the bill “an important step” toward stopping cyber-attacks. She is hopeful the bill will become law before the end of the year, and said it was just a first step toward improving cyber-security.
Privacy groups have criticized the bill—which includes provisions to protect individual privacy—as not doing enough to prevent branches the National Security Agency and other intelligence agencies from getting access to large amounts of user data. Sens. Ron Wyden (D-Ore) and Mark Udall (D-Colo) voted against the legislation, because it lacked “adequate protections for the privacy rights of law-abiding Americans, and that it will not materially improve cybersecurity.”
The bill includes provisions for privacy, such as requiring companies to strip out personally identifiable data such as names, addresses, and Social Security numbers before sharing the data. It could potentially give the government—namely the National Security Agency—access to even more information about Americans.
“Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA,” the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, and dozens of other privacy groups wrote in a letter to senators last month. “This has winners and losers on both sides as with most aspects of politics,” said Marc Maiffret, CTO of BeyondTrust.
Implementation Details
“Cooperation between businesses in the cyber security arena was an inevitable reality,” Kujawa said.
The bill is still in early stages. The final bill that becomes law may differ from the existing version because it will need to be reconciled with the House version. There is also a lot of question about how information sharing will be implemented.
“The devil is in the details,” said James Christiansen, vice-president of information risk management at Accuvant. A well-thought out implementation would be critical, as well as strong oversight and involvement from both the private and public sector to get the bill from theory to reality, he said.
SecurityWeek reached out to various security experts to weigh their reactions to the bill leaving the committee.
There were some areas of concern, such as privacy and details of implementation. Some experts also voiced their support.
“Privacy Will be Compromised”
Privacy rights must be respected, experts said.
“Everybody wants a safe and secure Internet, but the way we go about it is important,” said Steven Chabinsky, general counsel and chief risk officer of Crowdstrike. “The cyber threat is growing more troubling over time and it is the burden of Congress to improve the situation with legislation that doesn’t compromise on security or civil liberties,” he said.
“As a move towards delivering more concrete and achievable steps to achieve better cyber-security, CISA is a step in the right direction,” said Renee Bradshaw, senior solutions manager at NetIQ. The bill is more prescriptive, detailing “how” citizen’s private data should be protected, but it actually provides the federal government and corporations with more access to citizen data. It also shields companies from lawsuits for inappropriately sharing data. “But in giving the federal government and corporations more freedom to use citizen data with less incentive to do it right, it is a big miss,” Bradshaw said.
“While most are in favor of legislation to thwart cyberattacks, CISA arrives at a time when privacy concerns are at the forefront for many Americans and as such, ultimate passage of the bill will be a challenge,” said Michael Sutton, vice-president of security research at Zscaler.
It’s possible the bill may not pass the Senate due to privacy concerns, he said.
“It is unlikely that a skeptical public is willing to accept a promise of data only being used to defend the nation and not infringe on personal liberties.”
“I adamantly support the idea of this bill, but with some serious concerns,” said Bob Stratton, general partner of MACH37. However, “what may have been recent excessively generous interpretations of certain Government surveillance authorities, it is profoundly important to explicitly include privacy protections on the sharing, for intelligence purposes, of information obtained under the monitoring rights enabled in this legislation.”
“We Need this Bill”
“Pending full review of the text of the bill, this one appears to be one that must be passed,” said JJ Thompson, CEO of Rook Security. “Free flow of real-time, raw, cyber threat intelligence must take place unimpeded. In the past we’ve had to back channel intelligence to the FBI about weaknesses or impending attacks to large corporations to avoid frivolous litigation. We look forward to seeing improved public / private communications as a result of this bill.”
While sharing of cyberattack data is “absolutely necessary” to fight off cyber-attacks, “the real challenge is not in passing this bill—hard as it has been to do—but rather in implementing it,” said Craig Carpenter, chief cyber strategist at AccessData. The larger questions deal with who will get access to the data, how far liability protections will go, and what the organizations have to do to protect user privacy?
“But American companies that are under constant attack and cannot win this are on their own,” said Christiansen. “Without banning together as a community we can’t ever expect to win. No sharing system will ever be perfect, but providing more support for companies that provide information about an attack without it becoming a public embarrassment or a legal issue is critically important to these efforts.”
Christiansen wanted a way the information could be shared without making it public, since that would alert the attackers as well. He gave the example of how the public discussion of Heartbleed may have armed criminals with knowledge they didn’t have previously. “As a long-time Chief Information Security Officer, I am frustrated that we don’t have a way to accomplish that today,” Christiansen added.
“IT and consumers need to realize they are being left out in the wilderness to fend for themselves both as it relates to hacking attacks and overreaching governments,” said Maiffret. “We must remember we are still, for a large part, on our own with no real plan coming forward to help improve things for us,” he said.
“On one hand it’s great to see a bill like this getting traction and that we are making strides towards improving information sharing. On the other hand, the critique of this bill is hard to ignore,” said Brandon Hoffman, senior director, Global BD and SE at RedSeal Networks.
Related: Draft Cybersecurity Legislation on Information Sharing Circulates
Related: Understanding The Challenges In Information Sharing
Related: Cyber Attack Exercise Reveals Information Sharing Struggles