Cybersecurity Information Sharing Act Approved by Senate

POSTED NOVEMBER 3, 2015

A special to USLAW NETWORK and USLAW DigiKnow

By Karen Painter Randall, Connell Foley LLP, Roseland, New Jersey

After early unsuccessful attempts, on October 27, 2015, the Senate finally passed the Cybersecurity Information Sharing Act (“CISA”), a bill intended to curtail cyberattacks by encouraging its victims to share information about the attack, potentially protecting future would-be targets.

Under CISA, when a U.S. company is the victim to a cyberattack, the federal government will receive an alert and, thereafter, immediately distribute a “cyber threat indicator” that includes detailed information about the attack to other companies. The company first informs the Department of Homeland Security, which in turn informs the FBI, the NSA, other government agencies, as well as other companies. While industry-specific and private services exist that do this exact task, CISA would be the first to do so across industries.

The bill targets the information gap between a private company that has been attacked and other companies and the government. Usually in order to limit liability, a company can only share knowledge and details of the attack internally, often only with its legal counsel. As a result, critical information like the origin and nature of the attack never reach an audience full of potential next victims. Instead, the same methodology for an attack can be used over and over again on multiple companies without a single company ever knowing it has fallen prey to the same cyber predator as others. CISA targets this issue by spreading information about the attack as soon as possible.

Participation in CISA is solely voluntarily, but the bill provides a huge incentive to partake: elimination of liability, rendering participants near immune to lawsuits for sharing information. The information to be reported by each company, can potentially contain personal or sensitive information, but is more likely to contain data like a harmful code responsible for an attack. These cyber threat indicators can then be distributed.

The 74 to 21 vote in the Senate in favor of CISA reflects strong bipartisan support, but opponents still cite privacy and effectiveness concerns. Tech giants like Apple and Symantec have publicly criticized the bill for its potential privacy issues. Others have questioned the bill’s practicability; many companies often do not even realize they have been hacked, challenging the effectiveness of a knowledge-based prevention system.

In spite of such objections, CISA is a welcomed response from the government to address one of the biggest issues facing the private and public sector alike. Following mega breaches like that of Sony or Target, the bill is an overdue early step to combat the ever-growing threat and presence of cyberattacks.

Designed & Developed by Peak Seven