Supporters of a controversial cyberthreat information-sharing bill will push for the U.S. Senate to pass it this fall, even as some security experts question whether it would be effective.
Backers of the Cybersecurity Information Sharing Act (CISA) will resume efforts to get the bill passed when Congress returns from a month-long recess next week, although Senate Majority Leader Mitch McConnell, a Kentucky Republican, has not yet put CISA on the Senate floor schedule, a spokesman said.
Backers of CISA and similar bills say the sharing of cyberthreat information is necessary for businesses and government agencies to respond to ongoing attacks. But cyberthreat information-sharing may not have prevented several recent, high-profile attacks on government agencies, said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, a cloud-based security vendor.
Several recent government breaches “were the result of targeted attacks against people,” using email, social media and other methods, Kalember said by email.
“From what we understand, the attacks were also targeted,” he added. Those breaches couldn’t have been stopped nor prevented, even if the attacks’ details — such as the type of malware and distribution methods — had been quickly shared, according to Kalember.
While sharing the method of attack may alert other agencies or businesses, the variety of cybersecurity controls used across the government and beyond may limit the effectiveness of threat sharing, he added. Agencies “have no consistent technical means of making the intelligence actionable, something that CISA does basically nothing to solve.”
CISA would protect businesses that share cyberthreat information with each other and with government agencies from customer lawsuits.
Beyond questions about effectiveness, privacy and civil liberties groups say the bill would allow businesses to share too much personal information with government agencies such as the National Security Agency. Critics have called CISA a surveillance bill in disguise.
Even after a long debate on the Senate floor this summer, there are still “significant problems” with CISA, said Greg Nojeim, senior counsel at the Center for Democracy and Technology, a digital rights group.
“In our view, information is power,” he said. “If the entity receiving the information is a military/intelligence agency, especially the NSA, that puts the NSA in the driver’s seat of what should be a civilian cybersecurity program.”
Still, several tech and business trade groups are pushing hard for Congress to pass CISA.
The Senate version of CISA requires businesses to have an automated process in place to remove personal information, Alan Roth, senior executive vice president at trade group USTelecom, wrote in an August blog post.
“The millions of Americans whose personal information is being threatened every day by hackers, cybercriminals and, regrettably, even some nation-states or their proxies, will be big privacy winners under this legislation,” Roth added.