This Tuesday, the U.S. senate passed a bill called The Cybersecurity Information Sharing Act (CISA). This bill enables companies to work more closely with law enforcement to prevent hackers from acquiring sensitive information from companies. CISA helps companies react quickly to cyberattacks and it allows them to share cyber threat information with the Department of Homeland Security. When a company is being hacked “cyber threat indicators” are sent to the Department of Homeland Security, who then sends this data to the FBI, NSA and other governmental agencies who share warnings with other companies. In theory, the information shared will be limited to only “threat indicators” meaning data such as technical information about malware used or ways that hackers cover their track. However, the bill has a significant provision. CISA gives companies the option to share information beyond the “cyber threat indicator.” For example, if a company shares too much information about their users, this bill shields that company from private lawsuits and antitrust laws. Once Homeland Security receives information from a company, they are obligated to share the company’s report which may include customers’ personal information. CISA would provide legal liability protections for companies that share cyberthreat information to government agencies.
However, there is controversy underlying this bill. Critics say that this bill is a “surveillance bill” and an excuse for government agencies to receive more “upstream information” and use shared data from companies to spy on customers. Others opposing the bill say that sharing cyber threatening information will do very little in preventing hackers. In fact, Homeland Security established the United States Computer Emergency Readiness Team (US-CERT) in 2003 which collects, analyzes and responds to cyber attack information shared amongst other agencies. All CISA would do is help in collecting more information, but the bill does not state how the information will be used or how the private sector might access this information. In addition, the bill does not make it clear on how information would be shared, who would manage the information, and how will it be disseminated. Some tech giants, including Apple, are aggressively against the bill stating that “the trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy”.
This occurrence shows the relationship between government and companies and how policies can either hinder or benefit companies. This bill allows companies to wash their hands from sharing users’ information and gives more power to the government. I feel like this bill is not really solving the hacking problem, it is only protecting companies from potential lawsuits and gives an excuse for government to have an individual’s private information. This bill is only giving the government legal permission to further intrude on our personal lives, it is not addressing the issue of preventing hacking. If the president signs this bill, the government will be further monitoring which will significantly infringe on our liberties.