The Newly Enacted Cyber Security Information Sharing Act (CISA)—Good or Bad Policy?


ISIS uses encrypted communication methods to reach sympathizers over the Internet.  Drugs are sold in decentralized markets in the hidden corners of the Web.  People who want to exploit children have anonymous forums where posts are very difficult to trace.  Terrorism and crime have gone digital creating new challenges for law enforcement.

Thousands of software and hardware security flaws are floating in the ether, waiting to be discovered and exploited.  When a computer security flaw enables unauthorized remote access, tech savvy criminals can steal data, add a compromised system to a botnet, and sometimes even cause physical damage to a machine.  But unlike terrorist recruitment or trafficking in illegal goods, there is often little physical evidence left by cyber attacks. 

These cyber security threats pose a significant problem for both the private sector and the government. In 2015, the federal Office of Personnel Management announced that their systems had been breached, resulting in the theft of over twenty million personal records, many if not all including social security numbers of federal employees and anyone who had applied for a security clearance. From journalists to the family members of job applicants, the range of affected persons grew as more was learned about the hack.  But how far are we willing to go to curb twenty-first century crime?

One recent piece of legislation – the Cyber security Information Sharing Act or CISA –provides one avenue to address cyber attacks by encouraging information sharing between the government and the private sector.  Sharing information related to cyber threats and cyber attacks between the private sector and the government –and in both directions –could help make everyone more aware of current cyber risks and what to do about them.

Proponents of civil liberties online argue against information sharing because of the danger that it would expand the surveillance powers of the federal government.

CISA was the first cyber security information sharing bill to be enacted into law. The Senate passed CISA in October 2015, and during deliberations on the omnibus budget bill in December 2015, CISA was inserted almost word-for-word into the budget bill, which was then passed by both houses and signed into law by President Obama.

CISA could address security by improving the sharing of security research between the government and the private sector.  As it stands, in addition to permitting the sharing of non-technological security measures, CISA also allows personal information to be shared between the government and private sector. 

Under CISA, all the information sharing is purely voluntary. While a voluntary program sounds good in theory, in practice, the lack of limitations and specific requirements can lead to over sharing your information.  Add in the civil liability exemption that CISA gives to companies that share information, and the risk of over sharing becomes even greater.  Alternatively, if the sharing of information is only voluntary, companies may choose not to provide any information to the government for fear of harming their reputation when information about cyber attacks to their system becomes public.

The success in passing CISA is not celebrated by many privacy proponents.  CISA defines “cyber threat indicators” very broadly, encompassing non-technological methods of breaching security in addition to technological threats.  The non-technological methods, like ensuring that employees follow proper procedure and not disclose information to potential hackers who are using social engineering methods, are arguably better addressed by the private sector themselves.

At this very early stage, it is unclear what CISA’s long term impact will be. However, this is a topic that policymakers and concerned citizens should watch very closely over the coming months and years.

Author – Jay Kesan