Cybersecurity Insight

Breaking Down The Cybersecurity Information Sharing Act

29 Oct

Cyber attacks are one of the most prolific crimes of our day. Hackers from around the world threaten private businesses and governments on a daily basis with cyber attacks and crime. They try to access personal data, take down websites and applications, steal credit card information, and more. While much has been made of cyber crime, cybersecurity has been a stagnant topic within the United States Government.

With hopes of changing that, the U.S. Senate passed this week the Cybersecurity Information Sharing Act or CISA. But what does the new legislation really do, and how will it affect every day citizens, businesses, and governments?

What Is The CISA?

The new bill hopes to curb cyber crime by allowing governments, businesses, and other organizations affected by cyber attacks to share threat information with one another. By sharing this information across organizations, the hope is that these groups will learn from one another – allowing them to better prepare for, thwart, or completely nullify future cyber attacks.

The Good

Information sharing is part of the dawn of a new information age. People and organizations share information each and every day whether it’s to help better society as a whole, build new businesses, or improve governments. Sharing information can be used for good, and the more information collected about cyber attacks across different areas should help organizations better protect themselves.

The Bad

One of the main issues that has been brought up about the bill is that it doesn’t really specify how the information is to be collected, how it is to be shared, or who would manage this information. Some use the old adage, “take it one step at a time” meaning let’s first pass the bill then worry about the specifics, while others say we’re “putting the cart before the horse” meaning we’re creating legislation without any meaningful discussion about how to make it work. While the bill’s intent comes from a good place, there really wasn’t any clear direction on how to implement it in the real world.

Another issue is that of personal privacy. While several proposed amendments to the bill would have removed the possibility of sharing personal or customer data, those amendments were eventually rejected. This means that a company or organization that shares cyber attack information is not required to remove what may be considered personal customer data. However, the organization is not necessarily required to provide this information either.

What’s more is that the bill does grant protections to organizations from antitrust and consumer privacy lawsuits if they do in fact share the information. So, depending on your stance on personal privacy when it comes to overall protection this could be either a good or bad thing.

What Does It All Mean?

Right now, we’re not sure it means that much, but this is a big step in the right direction. Congress is expected to meet about previous measures that were passed in the House and possibly merge them with this new legislation, although there isn’t much change expected before the bill is actually signed into law.

How long it will take organizations to begin collecting and sharing cybersecurity data remains to be seen. Surely those opposed to such measures will take longer to come around than others. If nothing else, what this bill has determined is that cybersecurity is a priority and is no longer on the backburner as far as government is concerned.

Certainly there has been pressure since the recent IRS and OPS attacks to come up with some way to help lessen the risk of cyber attacks for governments and for private businesses. While this doesn’t necessarily help in the way of technology or actual safeguards, it should help us better understand cyber threats as a whole which will hopefully lead to better overall protection – and that’s good for everyone.