After months of discussion and hard work, the Senate appears set to move forward this week with the Cybersecurity Information Sharing Act of 2015 (commonly known as CISA). As a member of the Protecting America’s Cyber Networks Coalition, we were proud to sign and submit a letter yesterday supporting CISA and committing ourselves to working with lawmakers to get cybersecurity information-sharing legislation quickly enacted. You can read that letter here. For more on the specifics of CISA and where NCTA stands on this bill, we refer you to the blog we wrote a few months ago. But in short, CISA is a law that would allow companies to share cyber threat information with each other and electronically with a civilian government portal at the Department of Homeland Security (DHS) in order to mitigate and prevent cyber attacks.
A law like CISA is born out of necessity. Last year, cybersecurity company Semantic reported that over 348 million identities were stolen. 46 percent of Americans were exposed through these data breaches. And CSIS, the Center for Strategic and International Studies, estimates the annual cost of cybercrime tops $400 billion and results in a loss in as many as 200,000 jobs. CISA is designed to not only guard the companies targeted by cyber attacks, but also protect individuals who depend on those companies to secure their personal data.
“CISA is designed to not only guard the companies targeted by cyber attacks, but also protect individuals who depend on those companies to secure their personal data.”
Needless to say, a cybersecurity bill of this stature and relevance has been met with both spirited support and concerned opposition over three Congresses. Many of the apprehensions – especially those regarding individual privacy and civil liberties– have been heard and important changes have been made to the bill to ensure it can in no way be misused as a “surveillance” bill. Its scope is extremely narrow, and specifically aimed at protecting business, individuals, and critical Internet infrastructure from malicious cyber attacks. It does this by allowing companies to share cyber threat indicators, or CTIs, with other companies and the DHS portal in real time through a mandated automated process.
As an exercise, we thought it would be helpful to illustrate how information might be shared under CISA. In doing so, we hope to reveal both the benefits of the kind of information sharing allowed with the bill as well as the strong protections built in to ensure individual liberties and privacy are not at risk.
So imagine Company X becomes a victim of a DDOS attack designed to overwhelm and crash its servers. Such an attack would wreak havoc on routine business, cause thousands of dollars in damage, and potentially expose sensitive customer data. With CISA, Company X can take what they learned about the attack (such as information about how the attack was carried out, where it came from, how Company X successfully mitigated the damage once the attack began, and other CTIs) and share it with other companies and through the automated DHS portal process allowing real-time sharing of CTIs and the defensive measures taken.
Knowledge sharing like this has the obvious benefit of potentially identifying and stopping the DDOS attackers, but it also helps prevent similar attacks in the future by allowing businesses to identify exposures and take protective measures before an attack happens. Plus, in some cases, CISA protects the companies that share data from lawsuits lobbed at them for having appropriately shared data in the first place. In short CISA helps everyone, not just Company X and its customers, reduce the frequency, damage, and data exposure of cyber attacks. Not to mention it protects critical infrastructure and individual private data.
Perhaps more important than what was allowed in our scenario is what’s not allowed. Under CISA, Company X cannot include personal data captured along with its shared information on the DDOS attack. For example, CISA does not allow the sharing of a person’s behavioral, financial, or social information. It goes so far as to require the removal of personal information if it’s embedded in shared CTIs unless directly related to the cyber threat. CISA cannot be used by government agencies to investigate and prosecute “serious violent felonies”- which was a significant pro-privacy change to the bill. CISA cannot be used to “hack back.” So, as a defensive measure, companies are not allowed to destroy or render other computer systems unusable. And CISA liability protections cannot be used when sharing CTIs with the Department of Defense or the NSA – only with DHS. In short, the bill writers have worked diligently to address the concerns of privacy and civil liberties organizations.
While this is just one single example, there are many more imaginable scenarios in which the freedom to share CTIs and defensive measures could not only prevent future attacks, but protect private personal data. CISA passed the Senate Select Committee on Intelligence in March with broad support from both political parties and industry. CISA represents a workable compromise among many stakeholders. CISA safeguards privacy and civil liberties; it is not a surveillance bill.