The Senate is now considering the Cybersecurity Information Sharing Act (CISA), and the sponsors of the bill have presented a manager’s amendment in addition to many other amendments presented by individual Senators. While some of these amendments are technical or have no significant influence on the bill, several will harm the value and likelihood of information sharing.
Information Sharing Basics
Information sharing is centered on sharing data on cybersecurity threats and vulnerabilities between and among private-sector and government actors. Similar to the way that the Waze application or traffic reports on the radio warn commuters of troublesome accidents, information sharing helps private-sector and public-sector organizations avoid cybersecurity attacks or using flawed programs. As such, information sharing is focused on sharing the threat signatures and faulty coding in IT products, not on personal data, such as the contents of e-mails. Such shared information should be available to law enforcement to stop and investigate cyber-crimes, as well as to investigate other problems that are related to those cyber-crimes.
In order to ensure that such sharing occurs, the private sector needs liability and regulatory protections, as well as immunity from Freedom of Information Act (FOIA) requests. Without those protections, companies will be hesitant to share information because it could be used against them in court, by a regulator, or by their competitors and cyber adversaries. While information sharing is not a silver bullet, it will improve the information available to all parties, and thus can improve America’s cybersecurity posture.
In the manager’s amendment, there do not appear to be any provisions that harm information sharing, but CISA was also expanded to include non-information-sharing provisions. Flowing from the failure to detect the hack on the Office of Personnel Management (OPM), CISA’s new Title II seeks to strengthen U.S. detection capabilities with its networks, and to ensure that the appropriate strategies, plans, and assessments guide the development of these capabilities. Title III seeks to identify federal cyber workforce needs and require that each agency develop a plan to remedy its cyber workforce shortcomings. The final title calls for a variety of studies and strategies, including on mobile security, State Department cyber diplomacy, apprehending cyber criminals, emergency services cybersecurity, the security of the health care industry, and vulnerable infrastructure.
Other amendments are harmful. Senator Patrick Leahy’s (D–VT) amendment will strip the remaining protections from FOIA requests from the bill, which will certainly harm information sharing and make voluntarily shared information available to competitors and adversaries. Any amendments that require additional, duplicative scrubbing of personal identification, beyond the provisions already in the bill, will further slow down information sharing, lessening its usefulness.
While one of Senator Jeff Flake’s (R–AZ) amendments institutes a six-year sunset provision—which may threaten the use of information sharing due to companies preferring long-term protections—it does wisely include a savings clause to protect information-sharing activities that occurred while the act was in force.
One other amendment that has been pulled from consideration but is worth mentioning is the Judicial Redress Act, which quickly passed the House on suspension. This act would allow citizens and governments of select allies as well as “regional economic integration organizations,” such as the European Union, to sue U.S. agencies that do not properly respond to requests made under the Privacy Act. European nations have demanded such provisions as part of negotiations regarding transatlantic data transfers. The measure certainly does not belong in the CISA debate and it may open U.S. intelligence and law enforcement agencies up to even more lawsuits from individuals and governments across the world. While U.S. citizens supposedly can make similar requests and take similar legal action against European nations, it would be worth investigating to see if this is actually true in practice.
Making Information Sharing Work for U.S. Security
To ensure that information sharing contributes as much as possible to U.S. cybersecurity, Congress should:
- Preserve liability and FOIA protections. CISA currently provides strong liability and FOIA protections for businesses that share information. These measures ensure that businesses will not fear any detrimental legal or competitive effects from voluntarily sharing information, and should be maintained.
- Maintain broad authorized uses for shared information. CISA includes relatively broad areas where the government can use shared information. An even better policy would be to allow government agencies to use and share information so long as one significant use is for a cybersecurity purpose.
- Streamline privacy provisions. Privacy provisions that overly impede information sharing should be revised. Instead of requiring that all information be scrubbed of all personal data, a more appropriate standard is to require the reasonable removal of personal information in a way that does not impede sharing. The adoption of automated methods based on STIX or other information-sharing tools can be used to help limit the amount of personal data in shared information. Additionally, duplicative privacy provisions and reporting requirements should be streamlined.
Moving Forward with Cybersecurity
CISA will improve the cybersecurity of the U.S. so long as amendments do not weaken information-sharing provisions. Congress should also be looking for additional ways to strengthen U.S. cybersecurity, especially when responding to aggressive state actors in cyberspace.
—David Inserra is Policy Analyst for Homeland Security and Cyber Security in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.