Picks of the Week: Senate’s Cybersecurity Bill is a Starting Point, not the Finish Line
Senate Passes Cybersecurity Information Sharing Bill Despite Privacy Fear | The Washington Post
Ex-NSA Chief Warns of Cyberspace Dangers | U.S. News and World Report
Last week, the bipartisan and long-anticipated Cybersecurity Information Sharing Act (CISA)—a bill designed to bring together the departments of Defense, Justice, and Homeland Security in their efforts to combat cyber crime and to encourage the voluntary sharing of cyber threat information—passed in the Senate by a wide margin. The Act’s passage, however, was not without controversies.
Proponents of the bill have called it a necessary tool in the fight against the constant cyber threats facing businesses and government alike, and have highlighted the need for greater collaboration between the public and private sectors following the mega data breaches of the past couple of years. Under the legislation, government agencies, corporations, and other organizations would be legally allowed to share information that could potentially help identify cybercriminals, mitigate the risks from cyber attacks, and help them take preemptive measures against those potential attacks and their perpetrators. Retired Army Gen. Keith Alexander, former chief of the NSA and U.S. Cyber Command, testified in favor of the measure before the Senate Armed Services Committee on Wednesday and praised lawmakers for passing the CISA bill, but also warned that more incentives will be needed to promote information sharing and to encourage companies to promptly alert government agencies of cyber intrusions. “In cyberspace, to go halfway around the world takes 67 milliseconds,” he said. “I believe that those that want to do us harm can do that in one swipe … if that happens, the cost to our nation could be measured in the trillions.”
Opponents of the bill argue that it would impinge on civil liberties by effectively opening the door to the unchecked sharing of information between private companies and the government. Critics believe that the vague language in the bill could pave the way to short-circuit warrant requirements that government agencies must abide by when seeking certain domestic information. There are major concerns regarding how cyber threat information will be shared, to what extent companies will be required to anonymize the information they share with other entities, and how that information will be managed and disseminated.
Doubts and critics aside, most view the fact that the Senate passed a cybersecurity bill at all as a success in and of itself. Lawmakers have spent nearly a decade attempting to pass comprehensive cybersecurity legislation, so it is no surprise that the passage of this bill was hailed as a significant step in the right direction in the fight against hackers and cybercriminals. The problem, however, is that the legislative process never moves as fast as cyber-criminals. While this and other similar bills grew stale during seemingly-endless years of compromise and contention in Congress, hackers refined their criminal craft and developed more sophisticated methods of attack. As a result, CISA may not be as effective as hoped in the prevention of cybercrime and it may have not prevented some of the most damaging data breaches that have made headlines in recent months, such as the ones at OPM, Sony, and Target.
That being said, although supporters of the information sharing bill assure the public that sufficient privacy protections are included in it, the bill still has many hurdles to pass before it can become the law of the land. It will have to be reconciled with the two similar bills passed by the House in April—the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act—and ultimately a combination of the three Acts will make its way to the White House for final authorization through the President’s signature.
These developments notwithstanding, we must remember that sharing threat intelligence alone is not going to prevent or mitigate specific threats if that information is not properly and timely processed, operationalized, and ultimately incorporated into an overarching cybersecurity strategy and risk mitigation platform within any given organization. The road to that goal is a long one, and we have only just begun to pull away from the starting line. – Senior Fellow Francesca Spidalieri