CISA headed for Senate vote despite criticism
The Cybersecurity Information Sharing Act (CISA) has cleared numerous hurdles but faces more before it becomes a law that secures private data networks against malicious hackers.
Sponsored by Richard Burr (R-N.C.), chairman of the Senate Select Committee on Intelligence (SSCI), and Dianne Feinstein (D-Calif.), the committee’s ranking Democrat, CISA offers incentives for companies to share early “cyberthreat indicators” with the Department of Homeland Security.
For example, hospitals and health systems would get liability protections when they share cyberthreat data with the government.
But, some privacy advocates and technology companies have said the bill would do little to strengthen cybersecurity and protect individuals' personal information. Some say the bill offers a solution to a problem that doesn’t exist and is a major threat to U.S. citizens’ privacy rights.
Sharing these data could open organizations up to legal action should they inadvertently share personal data.
CISA "contains critical provisions that would move the entire healthcare community forward in addressing the many challenges of an increasingly complex health IT cybersecurity landscape," noting that the provisions "would create the infrastructure and support required by health care ... to better identify cyberthreats," said Lisa Gallagher, HIMSS vice president of technology solutions.
The "Senate needs to send the president a good cyber bill this year," wrote Ann Beauchesne, senior vice president for national security and emergency preparedness at the U.S. Chamber of Commerce, in an opinion piece on The Hill's "Congress Blog.” Noting the costs associated with cyberattacks, Beauchesne said CISA “is a step in the right direction.”
Critics, however, cite the Department of Homeland Security’s existing cyberthreat alert system, compiled by the department’s Computer Emergency Readiness Team (DHS-CERT). It monitors public and private network threats and provides daily updates to anyone who wants to subscribe. That system hasn't been deemed a success or a failure so why replace it?
The proposed law puts DHS in charge of the new data collection powers but what will and can happen to the data also is under question. CISA gives Homeland Security the power to share data with "any federal agency or department, component, officer, employee, or agent of the federal government." That could include law enforcement bodies like the FBI and ATF, intelligence agencies like the CIA and NSA, or private contractors hired by federal agencies.
The bill instructs the government to protect the confidentiality of personal data “to the greatest extent practicable,” but exactly what is "practicable" won't be determined until after CISA becomes law and government agencies begin drafting specific guidelines.