The Cybersecurity Information Sharing Act (CISA), which is intended to improve cybersecurity in the nation, is one of the latest contentious federal laws passed by the 114th Congress of the United States. The legislation was first presented in the Senate on July 10th, 2014, and it was officially signed into law on October 27th, 2015. On December 15, 2015, the House of Representatives incorporated the bill's main provisions into a consolidated spending bill after making amendments to it. Three days later, the president signed the bill into law (""Text - S.754 - 114Th Congress (2015-2016): Cybersecurity Information Sharing Act of 2015""). The law is to operate by allowing the sharing of information such as threats emanating from online sources. The law passed by the Congress allows for the sharing of internet traffic information among several agencies such as the technology companies, manufacturing organizations, and the government intelligence organizations such as the FBI and the CIA.
History and Provisions of the Law
After its introduction on 10th July 2014 to the U.S. Congress by California Senator, Diane Feinstein, the bill was able to pass the Senate Intelligence Committee through a vote ("Text - S.754 - 114Th Congress (2015-2016): Cybersecurity Information Sharing Act Of 2015"). However, it failed to attain a full senate vote before the conclusion of the congressional session. It was later reintroduced by Republican senator from North Carolina, Richard Burr, on 17th March 2015. Attempts by Mitch McConnell who is the Senate Majority Leader to attach the bill as an amendment to the annual National Defense Authorization Act turned down by a senate vote that failed to reach the 60 vote threshold ("Text - S.754 - 114Th Congress (2015-2016): Cybersecurity Information Sharing Act Of 2015"). The debate on the bill was further delayed by the legislation regarding the sanctuary cities.
The Act is aimed at making companies to share personal information with the government with ease, especially in cases of cyber security threats. It, therefore, creates a system that allows for the various federal agencies to obtain information from private companies. The law provides that personally identifiable as well as irrelevant information will not be obtained so as to preserve the privacy of organizations (Gori 104). The shared indicators regarding cyber threats can be used in the prosecution of cybercrimes. Evidence regarding crimes that are linked to physical force can also be obtained through the Act.
Evidences in support of CISA
Encouragement of Cyber Information Sharing
The major benefit to companies willing to take part in the cybersecurity information sharing as stipulated in the Act is the real-time delivery of information pertaining to cyber threats from other participants in the initiative. Therefore, the more the many companies enroll and play active roles in the process, the faster the identification of cyber threats. As a result, best practices and defensive mechanism can be shared among companies (Green 102). Companies in the private sector will stand a chance of benefitting from the federal resources and other government agencies involved in the program thus reducing their expenditure on security.
The intense campaign initiated by the government and other key stakeholders in support of the bill were aimed at calming the controversies that it had stirred up among technology companies and privacy groups. The awareness campaign was further geared towards assisting the business community realize the advantages of information sharing. The aspect of sharing information makes it easy for companies as well as the federal government to act quickly on security threats. As a result, it allows for quick exposure of the nature of potential breaches that may go unnoticed. Those in support of the Act argue that it will lead to increased security of all data and systems thus preventing any cyber-attacks from taking place.
Protection of National Security
CISA is geared towards protecting the United States against cyber attacks on the government offices and other private companies. The emerging revelations of hacking that took place during the presidential elections has prompted the proponents of the continue supporting it as a measure that will end any foreign interference in the elections of the United States (Cullen 125). This has received support of senators from both sides of the political divide who firmly believe that Russia interfered in the 2016 United States elections.
Timely sharing of information based on threats between the government intelligence agencies and the private companies would have prevented many attacks that the country has witnessed such as the San Bernardino terror attack in which the suspect had made some suspicious communication through the online media platform. In regard to the protection of national security, the president of the United States chamber of commerce Mr. Thomas Donohue supported CISA as offering the best opportunity towards addressing both economic and national security. He argued that the nation had got the best chance through CISA in dealing with any future threat to the nation.
Privacy Protection
In order to address civil liberty rights as well as privacy concerns, CISA will call for the federal government to retain, use as well as disseminate any form of information regarding cyber threat from unauthorized use in collaboration with full disclosure. In addition, CISA offers restrictions towards the use and retention of information regarding cyber threat to certain enumerated roles (Gori 48-52). The application of cyber threat information will be subjected to a number of policies and procedures that are yet to be initiated alongside the Act and that will govern the sharing of information. The security controls that have been outlined in the Act will protect the members of the public and organizations against unauthorized accessibility to of the information regarding cyber threats.
CISA calls for private companies and organizations to be in a position to determine whether any form of personal information is to be part of the cyber threat indicators that they aim to share with the intelligence organizations of the government such as CIA. They are entitled to remove any personal information that they feel is not linked to the cybersecurity threat. It is worth indicating that the permission to remove some information that is deemed as personal should be on the ones that are well known and determined to be personal or can be traced to a given individual at the time the information is being shared (Mitra 118). The companies are called upon by the federal government to come up with technical capabilities aimed at assisting in the identification as well as removal of information that is deemed to be personal.
The Act further calls for the Secretary of the Homeland Security which is currently being held by the newly appointed General John Kelly and the Attorney General currently held by Senator Jeff Sessions of the United States to come up with proper guidelines that will guide companies in their bid to identify information that qualify as cyber threat indicators. They further need to initiate the right measures for eliminating personal information from the shared cyber threat information. The guidelines will aim at identification of cyber threat indicators that may bear personal information and are less concerned with threat to security. The measures will also locate various forms of information that are protected under the privacy laws and are not linked to cybersecurity threats.
Evidences against CISA
There has been remarkable opposition towards the Act among various stakeholders, since the bill is less likely to deal with many security threats that the United States is facing at the moment.
Privacy Infringement
The critics of the Act argue that it is a means that the government is aiming to use so as to keep tabs on the members of the public without their knowledge. The bill was contested by privacy advocates as well as technology companies such as Google, Apple, Amazon, and Dropbox among others on grounds of breach to privacy of individuals and organizations. According to Senator Ron Wyden from Oregon who emerged as one of the sharp critics of the law, CISA has little to do with the protection of the security of the American people, but it has more to do with threatening their privacy (Lovelace 84). He argues that people of the United States are seeking real solutions in regard to their protection from foreign hackers and not measures that would allow companies to spread personal information related to their clients.
The Act has some oversights as well reporting provisions in comparison to an earlier version that was introduced by the Senate. Through the implementation of CISA, major violations of privacy of the American people will go unnoticed or will not be protected by any law. The bill further removes powers of the independent watchdog on the surveillance of the government known as the Privacy and Civil Liberties Oversight Board, hence, government intelligence agencies will have the legal backing to decline cooperating with the board. The Act is geared towards waiving privacy as well as wiretapping laws so as to encourage companies and organizations to monitor their own networks. As a result, personal data will inevitably be clapped together with information regarding cyber threats that are shared with the government agencies. The law excuses companies from the liability for the violation of privacy laws except under very extreme situations (Lovelace 64). It is further feared that under the new Act, Americans will have very limited independent judicial oversight that is key towards the protection of individual privacy. The bill is, thus, seen as a major step in the wrong direction at the time when the nation is grappling with the manner in which companies and government agencies are handling personal data.
The Vague Definition of Cyber Threat Indicator
The Act has come under sharp criticisms on grounds of the vague definition of what constitute a cyber-threat indicator. The definition that has been provided in the second section of the bill is very broad and not specific on the many issues that are regarded as cyber threat indicators. The definition seems to encompass any form of information that may offer description towards any method that leads to a person with legitimate accessibility to some information system. The vague definition may result into prosecution of cases that may not be linked in any way to security threat. This will result into an unfair treatment of individuals and companies that may be forced to comply with the provisions of the law. CISA is very expansive in regards to the forms of information that companies are likely to the motivated to share with the federal government. It further offers scanty justification in regards to information sharing. So CISA will only prevent or deter cases of internet crimes, but it will do very little in regards to enhancement of internet security.
The many amendments that bill was subjected to have resulted into minimal changes to the original provisions of the bill that has been viewed as a threat towards individual privacy. The critics argue that the bill needs to be fully harmonized with both the statement issued by the House and the Senate so as to come up with a more comprehensive outcome. They hope that future legislations in the senate will seek to send the Act to the drawing board so as to come up with more comprehensive means of dealing with the rising cases of cyber threats.
Conclusion
The United States is faced with a number of challenges in regards to cybersecurity threats. CISA aims at addressing these issues and despite the opposing views, the impact of the bill is being seen as there have been reduced cases of terrorist attacks. However, tough measures need to be adopted so as to keep off any form of aggression from countries such a Russia and China who have adopted the art of using cyber-threats such as hacks to interfere with the democracy of the United States. The new administration under President Donald Trump must come up with appropriate measures that include looking into the contentious issues that have emerged in regards to the implementation of CISA. The government must also ensure full protection of the privacy of its citizens so as to boost their trust on the government and not to view it as limiting factor towards their freedom of expression.
Works Cited
Cullen, Kristen. Cyber Security: A Crisis of Prioritization. Diane Pub Co, 2014.
Gori, Umberto. Modelling Cyber Security: Approaches, Methodology, Strategies. IOS Press, 2015.
Green, Jeremy S. Cyber Security: An Introduction for Non-Technical Managers. Ashgate Publishing Limited, 2015.
Lovelace, Jr Douglas C. The Cyber Threat. In Terrorism: Commentary on Security Documents, vol. 140, 2015.
Mitra, Ananda. Digital Security: Cyber Terror and Cyber Security. Chelsea House, 2010.
"Text - S.754 - 114Th Congress (2015-2016): Cybersecurity Information Sharing Act Of 2015". Congress.Gov, 2017, https://www.congress.gov/bill/114th-congress/senate-bill/754/text.
