A Quick Guide to the Cybersecurity Bill Passed by the U.S. Senate

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.scientificamerican.com/article/a-quick-guide-to-the-senate-s-newly-passed-cybersecurity-bill/

Yesterday, after more than a year of bickering, stalling and revising, the
Senate passed its most significant cybersecurity bill to date 74–21
<http://www.senate.gov/legislative/LIS/roll_call_lists/roll_call_vote_cfm.cfm?congress=114&session=1&vote=00291>.
The Cybersecurity Information Sharing Act (CISA
<https://www.congress.gov/bill/114th-congress/senate-bill/754>) is a
controversial measure to encourage businesses and government agencies to
share information related to malicious hackers and their methods.

Government and industry have talked about such information sharing for more
than a decade. The House of Representatives passed a precursor to CISA—the
Cyber Intelligence Sharing and Protection Act (CISPA
<https://www.congress.gov/bill/113th-congress/house-bill/624>)—in 2013, but
the bill’s progress stopped
<http://www.huffingtonpost.com/2013/04/25/cispa-cyber-bill_n_3158221.html>
when Pres. Barack Obama threatened a veto due to a lack of privacy
protections. Sen. Dianne Feinstein (D-Calif.) introduced the first version
of CISA in July 2014, but the bill didn’t gain traction until she and Sen.
Richard Burr (R-N.C.) reintroduced the legislation this past March.
High-profile cybersecurity breaches at Sony Pictures
<http://oag.ca.gov/system/files/12%2008%2014%20letter_0.pdf>, Home Depot
<https://corporate.homedepot.com/mediacenter/pages/statement1.aspx>, the Office
of Personnel Management
<https://www.opm.gov/cybersecurity/cybersecurity-incidents/> and dozens of
other organizations within the past year alone helped CISA make its way to
the Senate floor.

CISA’s problem had been the liability and privacy concerns that companies
expose themselves to when they start handing data—customer records in
particular—to the government. The bill limits companies’ liability in
lawsuits, but the Senate voted down measures that would have required
businesses and government agencies to at least try to scrub records of data
that could be used to identify individuals.

Critics point out that information sharing will do little to prevent
successful cyber attacks. In fact, the federal government already has an
organization for sharing cybersecurity threat information. The Department
of Homeland Security established its United States Computer Emergency
Readiness Team (US-CERT <https://www.us-cert.gov/about-us>) in 2003 to
collect, analyze, disseminate and respond to cybersecurity information
shared among government agencies, the private sector and researchers. At
this point CISA would aid cyber threat data collection, but it’s unclear
how that information would be used. In addition, most of the bill is
devoted to outlining how the federal government would share information
throughout its various agencies, with little mention of how the private
sector might access this data.

Several privacy advocates and businesses opposed to CISA have pointed out
that sharing information about new types of malware, suspicious network
activity and other cyber-threat indicators will do little to crack down on
cybercrime. Such information sharing must be combined with implementing
encryption, patching outdated software and otherwise bolstering cyber
defenses. The Electronic Frontier Foundation
<https://www.eff.org/deeplinks/2015/10/eff-opposes-cisa-final-vote-approaches>
summarizes this argument in its latest criticism of CISA.

*Scientific American* has compiled a cheat sheet to help you understand the
bill, why it is controversial and what it means to you.

*What is CISA’s purpose?*

The bill calls for government agencies, businesses and other organizations
to share information about cybersecurity threats with one another. The
thinking is that this shared information will help these different groups
better prepare themselves to identify and defend against hackers trying to
steal information from their computers. CISA in its current form, however,
does not clearly define how this information would be shared, who would
manage such information or how it would be disseminated.

*Who is in favor of CISA?*

Co-sponsors include Sens. Dianne Feinstein (D–Calif.), Richard Burr
(R–N.C.), Bill Nelson (D–Fla.) and Angus King (I–Maine). The U.S. Chamber
of Commerce and the Financial Services Roundtable
<http://fsroundtable.org/fsr-launches-advertising-campaign-urging-congress-to-pass-cisa/>,
an advocacy group for the U.S. financial services industry, also support
the bill.

*Who is against it?*

Privacy advocates at organizations such as the Electronic Frontier
Foundation
<https://www.eff.org/deeplinks/2015/10/eff-strongly-oppose-cisa-cyber-surveillance-bill-and-cfaa-amendment>,
the Center for Democracy & Technology
<https://cdt.org/blog/guide-to-cybersecurity-information-sharing-act-amendments/>
and Fight for the Future <https://www.fightforthefuture.org/>; tech
industry groups, including the Computer & Communications Industry
Association (CCIA
<http://www.ccianet.org/2015/10/ccia-urges-senate-to-improve-cybersecurity-information-sharing-act/>),
whose members include Facebook, Google and Yahoo; and more than a
dozen cybersecurity
experts
<https://static.newamerica.org/attachments/4459-pr-massive-coalition-of-security-experts-companies-and-civil-society-groups-urge-obama-to-veto-cisa/Final_Coalition%20Ltr%20Urging%20Pres.%20to%20Veto%20CISA.8b33e2d86dc14780b35c9cde44a41797.pdf>,
including Massachusetts Institute of Technology professor Ronald Rivest
(the “R” in the RSA cryptography protocol
<http://www.scientificamerican.com/article/can-t-touch-this-new-encryption-scheme-targets-transaction-tampering/>)
and Bruce Schneier, a fellow at Harvard Law School’s Berkman Center for
Internet and Society. In Congress, Sens. Ron Wyden (D–Ore.), Al Franken
(D–Minn.), Patrick Leahy (D–Vt.) and Dean Heller (R–Nev.) have lined up
against the bill, along with presidential candidates Sens. Rand Paul
(R–Ky.) and Bernie Sanders (I–Vt.).

*What are the arguments against CISA?*

Sen. Wyden and others have called CISA a “surveillance bill
<http://morningconsult.com/2015/10/changes-to-cybersecurity-bill-point-to-smooth-senate-passage/>,”
arguing that the National Security Agency and other government entities
could use information shared by companies to spy on their customers.
Critics say that the process of passing customer information to government
agencies or other third parties creates new opportunities for data to be
stolen. They also argue the bill fails to address the real reasons
<https://www.eff.org/deeplinks/2015/10/eff-strongly-oppose-cisa-cyber-surveillance-bill-and-cfaa-amendment>
hackers are able to steal data—including outdated software, malware and
unencrypted files—and that because information sharing would be voluntary,
a lack of participants could undermine the program.

*Did recent amendments
<http://morningconsult.com/2015/10/tech-industry-backs-off-cybersecurity-bill-after-latest-changes>
to the bill address any of these concerns?*

The Senate rejected three separate amendments
<http://www.senate.gov/legislative/LIS/roll_call_lists/vote_menu_114_1.htm>
that at least attempted to remove data that could identify individuals
before sharing customer information when that information is not necessary
to describe or identify a cyber threat.* Another amendment, however, gives
participating companies legal protections
<http://www.sltrib.com/home/3092229-155/cybersecurity-senate-takes-initial-step-to>
from antitrust and consumer privacy lawsuits. And the government claims
that information it receives will not be used to prosecute non-cyber
related crimes
<http://morningconsult.com/2015/10/changes-to-cybersecurity-bill-point-to-smooth-senate-passage/>
.

*What happens next?*

In all likelihood CISA will soon be reconciled with two information-sharing
bills that the House of Representatives passed in April. The combined bill
will go to the White House, where Pres. Obama will probably sign it into law
<http://www.washingtontimes.com/news/2015/aug/5/white-house-endorses-cisa-cyber-bill-amid-senate-s/>.
Once that happens, the U.S. Attorney General has 180 days to finalize a
plan for collecting and disseminating cyber-threat data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!