We are in “the red zone” for the Senate’s Cybersecurity Information Sharing Act (CISA), one of the first significant cybersecurity bills, currently in conference with a House version. So what does this mean for U.S. companies?
Under CISA, companies would receive liability protection for
- Monitoring information systems (including their own and those of their customers when given permission), and
- Voluntarily sharing cyber threat information with other companies and the government.
However, major concerns still plague the process, and some of the biggest names in technology (think Apple, Microsoft, LinkedIn, Facebook, Google, and others) vehemently oppose the bill. We outline some of the pros and cons here and what the bill means for U.S. businesses:
- Better Baseline: New liability protections under CISA will likely raise the bar for security practices. Defining liability implies setting a baseline, and enterprise due care will expand in response. Liability protections also enable companies to set up their own network defenses to repel attackers.
- Real-Time Data: The quality of threat information and enterprise response could improve significantly. Companies that share and receive real-time threat information would be better informed about the threat environment, and could take action quickly.
- Privacy, the Casualty (Again): Industry groups and privacy advocates fear the law would skirt multiple privacy concerns. As companies share threat information with each other and with government, there is a high likelihood that on occasion, personal data would accidentally be included. CISA’s liability protection would cover companies that run into this type of situation, putting customer privacy at risk. So far there has been little thought paid to the consequences of a slip-up.
- Government Duplication: Others fear heavy government involvement in developing plans for cyber incidents that affect critical networks. In general, heavy government centralization of information sharing is seen as unnecessary and too sweeping, when companies like Facebook are already building their own information sharing capabilities like Threat Exchange.
Despite the cons, we are still nearing the final stages of a significant cybersecurity bill. So what can we do moving forward?
We discuss a few takeaways here for how to take action, but as CISA evolves, so will the implications for U.S. businesses. Here are the actions we think will stay constant:
- Develop a company position on handling information sharing, stating whether real-time information sharing or data sanitization and privacy is the highest priority. Small and medium businesses in particular should take a hard look at participating if they don’t have the infrastructure to support privacy best practices and stringent data security.
- Invest in educating network defenders. Sharing and receiving threat information and erecting network defenses requires ongoing education, strong network design and security practices, and organizational oversight.
- Update and streamline identity and access management, and ensure granular access controls for those interacting with information sharing portals.
As security guru Bruce Schneier has stated, we’re still squarely in the “response era” of cybersecurity. We’ve evolved from learning about the threat landscape, we’ve seen government and industry collaborate to build the NIST Cybersecurity Framework, and now the national dialogue is focused on breach response and information sharing. The conversation about CISA reinforces that, but will have to make privacy a core component for us to evolve further.