Desperate times call for desperate measures, and it was only a matter of time before the U.S. government came up with a new federal law concerning cybersecurity, since the last one, the Cyber Intelligence Sharing and Protection Act, was defeated in the Senate in 2013. Last year was “the year of the breach”, which resulted in many cyber-attacks leading to the passing of a new federal law – the cybersecurity Information and Sharing Act.
This law is said to greatly improve cybersecurity in the United States, but it actually faces a lot of opponents due to its vagueness. It is definitely going to affect cybersecurity, but in what way? Read on to find out what this bill represents and how it actually affects cybersecurity in the U.S.
What Exactly Is CISA
CISA, or the Cybersecurity Information and Sharing Act, is a U.S. federal law that is meant to improve cybersecurity in the United States by allowing technology and manufacturing companies to share information about cybersecurity threats with the U.S. government. It is a way for every company to share “cyber threat indicators” with Government agencies and the Department of Homeland Security, in an attempt to fight hackers and prevent damage before it’s too late.
The collected data can be shared with any of the U.S. government agencies, including the NSA, the FBI, the CIA and many others. This bill protects companies from Freedom of Information Act requests by protecting them from any liability lawsuits for the harm done to their customers, due to the sharing of their private information, as long as they follow government guidelines.
What Do the “Cyber Threat Indicators” Include?
According to CISA, “cyber threat indicators” represent any information that is necessary for identifying threats and they include the following: the consequences of a cyber-attack, “malicious resonance”, that is, any spy software that can steal your passwords, network activity that shows security Vulnerabilities, codes that can bypass your security measures, as well as “malicious cyber command and control” that can point to the source of the cyber-attack.
All of these indicators are pretty useful for fighting hackers and they show potential ways for improving cybersecurity. Another thing that this bill indicates is that companies can share any other information related to cybersecurity threats, unless it is not legal to share that information due to other laws. That is the vague and tricky part that makes everyone wonder whether this shared information will be misused.
Will CISA Leave Room for Privacy?
Apparently, the U.S. citizens can all say goodbye to privacy. That is the main reason why CISA has so many opponents, among which are some of the major technology companies, such as Microsoft, Apple, Google, Facebook, Twitter, Reddit, Wikipedia and many others. The greatest opponents include private companies that don’t engage in any nefarious activities and have literally no reason to be introspected and to provide the government with their customers’ private information.
CISA definitely leaves no room for privacy and, most importantly, it does very little to protect Americans from cyber-attacks. Instead, it greatly focuses on sharing Internet traffic and private information. Americans want real protection from hackers and cyber-attacks and all they got was a bill that threatens their privacy.
What concerns many people is the impact CISA may have internationally. The bill does not state that, of course, as it is designed only for the United States, but due to the fact that much of the world’s data flows through the U.S., American laws affect a much larger number of people than just those inside their borders. After all, the Internet is global.
That means that U.S. laws may not only apply to their citizens and that fact leaves the whole world in fear of their private information online, since CISA may give permissions for people who are not protected by U.S. laws. More importantly, this bill leaves many companies outside the U.S. very concerned about the privacy of their customers who happen to reside inside U.S. borders.
In a nutshell, the Cybersecurity Information and Sharing Act does not do much to improve cybersecurity, as it clearly should. Instead, it seems to be an effective way for the U.S. government to keep tabs on its citizens by having access to every private piece of information about them. Whether that changes eventually or not, only the future will tell.
By Pavle Dinic