Evil Internet Bill CISPA Is Back From The Dead, Now Cleverly Titled CISA

29 Oct 2015 | Author: | No comments yet »

A Quick Guide to the Cybersecurity Bill Passed by the U.S. Senate.

WASHINGTON (AP) — The Senate passed a bill Tuesday aimed at improving cybersecurity by encouraging companies and the government to share information about threats. After years of political wrangling, the US Senate on Tuesday passed a cybersecurity bill that has drawn praise from business groups and criticism from privacy advocates.

CISA would force websites and tech firms to share user information with the government, so long as that information fits an astonishingly vague description of a “cyber threat.” The newly successful CISA is recycled from a less-popular model. The bill aims to reduce cyber attacks by allowing companies to share cybersecurity threat data with the Department of Homeland Security and other federal agencies. If, as expected, the bill passed in the House and becomes law, CISA would facilitate the sharing of cyber threat indicators — the latest forms of malware, spear phishing campaigns, and known malicious domains — between the private and public sectors. The thinking behind the bill is that sharing information would better prepare the country against hackers, although the bill does not clearly define how information collected would be disseminated or who would ultimately be in control. The House of Representatives passed a precursor to CISA—the Cyber Intelligence Sharing and Protection Act (CISPA)—in 2013, but the bill’s progress stopped when Pres.

The bill’s looming passage is welcome news, as National Cybersecurity Month draws to a close, Cyber attacks now penetrate areas long considered sacred ground. The Senate rejected amendments, including one addressing concerns that companies could give the government personal information about their customers.

The US Chamber of Commerce, the country’s largest business group, lobbied hard for the bill, stating on its website that to overcome obstacles arising from cybersecurity threats, private-public partnerships must form and share information. “In an interconnected world, economic security and national security are linked,” said Thomas J. Technology companies, such as Twitter, Apple and Google, opposed the bill on the grounds it would increase government spying, while the protections currently tendered in the bill do not go far enough to actually work. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., said the measure was needed to limit high-profile cyberattacks, such as the one on Sony Pictures last year. “From the beginning we committed to make this bill voluntary, meaning that any company in America, if they, their systems are breached, could choose voluntarily to create the partnership with the federal government. The White House expressed its support for CISA earlier this year. “Cybersecurity is an important national security issue and the Senate should take up this bill as soon as possible and pass it,” White House spokesperson Eric Schultz told The Hill in August. “CISPA is nearly identical to CISA.

Hackers are reportedly setting their sights on physical assets, including critical infrastructure like electric grids, transportation systems and telecommunications networks. The bill approaches information sharing from the same framework,” Mark Jaycox, an analyst with the Electronic Frontier Foundation, said. “The Senate bill [CISA] is just smarter with workarounds.” Both bills would offer immunity to companies if they turned over information to the government in order to expose broadly defined “cyber threats.” CISA contains only minor updates, which activists say make the bill more potent than its predecessor. “CISPA was pretty overt in saying ‘the National Security Agency is going to be the lead in this, it’s going to collect the information,’” Jaycox said. “CISA says the Department Homeland Security will be the lead in this, but the DHS has to automatically share it with the NSA … There are small, sly changes like that within CISA.” In 2011 and 2012, the Internet rallied against SOPA and PIPA, two controversial bills that would have given the government new powers to block websites that violated copyright. High-profile cybersecurity breaches at Sony Pictures, Home Depot, the Office of Personnel Management and dozens of other organizations within the past year alone helped CISA make its way to the Senate floor. Whether Obama will veto such a bill depends on if its final passage meets his own standards on security and privacy, said Nathan White, a senior manager with the digital rights group, Access, to the National Review. “The administration’s policy up to this point has been very clear,” he said. “It has supported CISA’s process but expressed concerns that it is currently dangerous to cybersecurity.”

To protect our critical assets, we need to bring government and industry together and see the benefits of public-private collaboration in thwarting them. With PIPA and SOPA you had literally tens of millions of people engaged, writing and calling Congress, posting blackouts on their sites… I don’t think it’s quite the same scale.” The Sunshine in Government Initiative, a Washington organization that promotes open government policies, urged the Senate last week to support Leahy’s amendment. The Snowden scandal continues to loom large, and corporations and privacy advocates remain concerned about the way in which the government handles industry communications and customer data.

Participation is voluntary and companies have long been reluctant to tell the U.S. government about their security failures. “Passing the bill will have no effect on improving cybersecurity,” said Alan Paller, director of research for the SANS Institute. “That’s been demonstrated each time sharing legislation has been passed. The thinking is that this shared information will help these different groups better prepare themselves to identify and defend against hackers trying to steal information from their computers.

The cost to companies of disclosing their failings is so great that they avoid it even if there is a major benefit to them of learning about other peoples’ failings.” Cyberattacks have affected an increasing number of Americans who shop at Target, use Anthem medical insurance or saw doctors at medical centers at the University of California, Los Angeles. More than 100 companies — including Yahoo YHOO 2.58% , Microsoft MSFT 0.41% , Twitter TWTR -1.72% , Pinterest, Tumblr, and Dropbox – already participate. The U.S. and the technology industry already operate groups intended to improve sharing of information among the government and businesses, including the Homeland Security Department’s U.S.

Ron Wyden (D–Ore.), Al Franken (D–Minn.), Patrick Leahy (D–Vt.) and Dean Heller (R–Nev.) have lined up against the bill, along with presidential candidates Sens. Beyond functionality, the symbolic significance of DHS reaching out to a leading tech firm to construct this critical government system could ripple quickly, and powerfully, across the tech industry and beyond, serving as a valuable sign of good faith.

Critics say that the process of passing customer information to government agencies or other third parties creates new opportunities for data to be stolen. They also argue the bill fails to address the real reasons hackers are able to steal data—including outdated software, malware and unencrypted files—and that because information sharing would be voluntary, a lack of participants could undermine the program. As more and more service members take off their uniforms, DHS and other agencies should partner with security firms to offer – and pay for – specialized training for veterans who want to enlist in a new battle against cyber incursions. Attorney General has 180 days to finalize a plan for collecting and disseminating cyber-threat data. *Editor’s Note (10/28/15): This sentence was edited after posting to clarify that the version of CISA passed October 27 does not require participants to remove personally identifiable information.

Our partners
Follow us
Contact us
Our contacts

About this site