Does CISA’s passage into law make you wake up in a cold sweat?
For many in the cybersecurity and privacy fields, the answer to this question is likely yes. The passage of CISA, or the “Cybersecurity Information Sharing Act” (also known as “The Cybersecurity Act of 2015”), has been the nightmare of many privacy advocates and activists for years.
The stated goal of CISA is to facilitate the transfer of cybersecurity-related information between private companies and the federal government through online portals designed for this purpose. The idea is to help make companies more secure by allowing information on a cyber threat experienced by one company to be easily shared with the federal government and, in turn, with other similar companies.
As CNN described it in October:
“CISA would create a single system that sends ‘cyber threat indicators’ — such as samples of malicious computer code — to the Department of Homeland Security. DHS would then feed this data to the FBI, NSA and other government agencies. DHS would also share warnings to every participating American company.”
Some proponents of CISA have cited four provisions of the bill when discussing why the measure is an important step forward for cybersecurity (as Lars Harvey, CEO of Internet security firm IID, pointed out in his blog):
- It’s not mandatory
- It protects organizations that share data from lawsuits stemming from data sharing
- It mandates that personal identifying information be removed from shared cyber threat data, unless it’s directly relevant to the threat
- It limits the use of shared data to criminal prosecutions
“This bill doesn’t do anything except help us defend our companies better,” Randy V. Sabett, former NSA cryptography engineer turned attorney for a Washington, D.C. law firm, told CNN.
But as anyone who spends time on the Internet will tell you, CISA has its share of detractors (a lion’s share, some might say).
Opponents consider CISA a thinly-veiled government surveillance bill draped in the sheep’s wool of cybersecurity. Those against CISA say the bill will encourage companies to hand over information about their customers to the federal government even if there’s the slimmest chance it could be related to a cyber threat.
As Robyn Greene, policy counsel at New America’s Open Technology Institute said in a media release:
“We are deeply disappointed that Congress has passed CISA into law, despite our serious concerns that it will undermine privacy and cybersecurity. Hopefully, the private sector, the intelligence community, and law enforcement will construe its dangerously broad provisions as narrowly as possible, so that the impact on online privacy is minimized.”
Is There a Good Side?
We think there is a strong argument in favor of CISA that isn’t being expressed very clearly.
The core of CISA is about sharing cybersecurity threat information, which in the cybersecurity world is always a good thing. The more that’s known about a specific virus, piece of malware, or other cyber threat, the better off the good guys are.
Let’s take this a step further. Say a large bank encounters a brand new piece of malware. Through the CISA provisions, this bank can now easily share this new bit of cyber threat data with federal authorities. The government, then, can distribute information about this threat to other, similar organizations who have opted in to receive such alerts.
Sharing information like this will allow more companies and organizations to adapt to emerging threats without having to be impacted by them first. In this way, we think opening up a path of shared cybersecurity information is really opening a path to truly adaptive cybersecurity management programs.
If the concept of “adaptive” applied to cybersecurity sounds familiar, it’s because the oft-cited NIST Cybersecurity Framework set adaptive as the top tier for cybersecurity management programs. Per the Framework, a Tier 4: Adaptive program has three basic attributes. Such a program is:
- Based on lessons learned and predictive indicators
- Continuously improved via active adaptation to combat evolving threats
- Part of the overall organizational culture
You’ll notice that the first two bullet points would be helped immensely by the data sharing provisions of CISA. The more information a company has about what threats are out there, the more energy they can put toward correcting weak spots in their own cybersecurity. In other words, the more adaptive they can be. This sort of knowledge will put more power to adapt to and address threats into the hands of cybersecurity professionals.
Additionally, a greater understanding of the risks that are out there, forged through greater information sharing, will allow organizations to better plan for those risks. An improved ability to plan for risks is key for both cybersecurity management programs as a whole, and effective security awareness programs. The better the risk analysis is before a security awareness program is developed, the more prepared the organization and its members will be for what’s ahead (and the more adaptable that program can be).
CISA is far from perfect. But, we believe vigilant and appropriate information sharing on cybersecurity threats is the right step toward true adaptability for both cybersecurity management and awareness.