The Cybersecurity Information Sharing Act would allow the private sector to voluntarily share information about cybersecurity threats with the government and other private entities. Meanwhile, it directs the federal government to increase its sharing of cyber information with the private sector to help companies protect their systems.
Advertisement
Sen. Ron Wyden, the only member of the intelligence committee to vote against the bill, said CISA will “have a limited impact on USA cybersecurity”.
The problem, of course, is that with immunity protection, companies may feel no qualms about revealing far more personal information about customers and partners than they ever did before.
Senator Heller had an amendment that was basically a backstop against the Wyden amendment, saying that if the Wyden amendment didn’t pass, Homeland Security would be responsible for removing such personal information.
Senate Bill 754 introduced in March by Sen. The House passed two versions of the law earlier this year, but privacy advocates had been pressing for the Senate to either reject the bill entirely or pass amendments tightening controls over personally identifiable information that might get swept up and sent to the government in the automated real-time process the draft law envisages. Tom Cotton, R-Ark. and Chris Coons, D-Del., were also heavily defeated, but a managers’ amendment — a package of changes backed by the bill’s authors – passed, as did the whole bill. Apple, Salesforce, Twitter and Reddit are among individual companies opposed. “Now, more personal information will be shared with the NSA and with law enforcement agencies, and that information will certainly be used for purposes other than enhancing cybersecurity”, said Greg Nojeim, CDT’s Senior Counsel and Director of the Freedom, Security and Technology Project.
Wyden wasn’t the only one speaking out against the bill.
Despite many recommendations made over the past decade-Congress has held cybersecurity hearings every year since 2001-the only major cybersecurity measures enacted were five bills signed by President Obama in December 2014. So CISA’s broad language about allowing companies to share “threat indicators” and other “cybersecurity threat” information “notwithstanding any other provision of law” seems to sweep aside the entire existing framework of privacy law under only very vague parameters.
Advertisement
A few security experts expressed their displeasure with the bill’s passage after the vote.
