For years, American companies have begged Congress to improve the nation’s defenses against hackers.
They finally have a potential game changer. The U.S. Senate is about to vote on a bill called the Cybersecurity Information Sharing Act (CISA) that lets companies work more closely with law enforcement than ever before.
If a company gets hit with a specific type of hack, the federal government would receive an alert and immediately distribute warnings to other companies.
Every cyberattack is like a flu virus, and this is a lightning-fast distribution system for the flu vaccine. Opt in, and you get a government shot in minutes, not months.
Computer scientists and military experts all agree that automatic, immediate sharing helps the nation raise its collective defenses.
But technology companies hate this bill.
Two major tech industry groups that together represent Amazon, Dell, eBay, Facebook, Google, Microsoft, Yahoo and others stand starkly against the bill for privacy reasons. Apple, Salesforce and Twitter have issued statements saying the bill is a bad idea.
Even security giant Symantec refuses to support the bill.
Why? Because CISA doesn’t only help companies stop hackers. It also gives the FBI tools to spy on Americans for all sorts of crimes.
Plus, critics worry that having companies feed more information to the federal government will increase NSA surveillance on Americans without court oversight or warrants.
That’s why some, like U.S. Senator Ron Wyden, call this a surveillance bill in disguise.
Meanwhile, nearly every other industry says America needs CISA — right now. Banks, energy companies, hospitals, insurers, telecommunications providers, even IBM — they’re all getting hit by hackers and say they need the additional help.
The current problems
Numerous speed bumps keep companies from reacting to cyberattacks in real-time.
First, the FBI currently knows a lot about hackers and their tactics, but bureaucratic rules about how they can share “classified” information with private sector firms really slow how they warn potential victims, according to several FBI agents who operate on hacking investigations.
Second, there isn’t an established channel for sharing hacking evidence with the Department of Homeland Security, FBI, NSA and others. Again, that means the process is usually slow.
Third, companies typically resist sharing data with the government anyway … until they’re forced to.
CISA attempts to correct all of these.
How CISA might work
Let’s say a bank gets hacked with a certain computer virus. According to CISA, if the bank decides to share information:
The bank must first wipe the data clean of customer data.
Then it shares “cyber threat indicators” — samples of malicious code — with DHS.
DHS then shares it with FBI, NSA and other government agencies to catch and stop the hackers.
If DHS shares information with companies, it too must scrub any personal data before it sends out alerts. All of this is supposed to happen automatically, just computer servers talking to computer servers.
The bill also subjects government agencies to biannual reviews to make sure that civil liberties will not be violated.
But privacy advocates are still concerned:
The bill calls for “real-time” sharing. Companies in a hurry might not wipe the data enough before law enforcement gets it, expanding how much they know about Americans.
Those jumbles of code known as “cyber threat indicators” could still be revealing about Americans’ daily lives.
DHS isn’t allowed to wipe personal data if another agency, like NSA, objects.
And even though law enforcement is only allowed to collect “cyber threat indicators,” cops can use them to investigate “an imminent threat of death,” bodily harm, economic harm and “terrorist” acts.
“It creates the wrong impression about what this bill does,” said Jeff Greene, a top policy attorney at Symantec who wants that language cut out of the bill.
Perhaps most importantly, companies that share too much — and accidentally harm their customers — are protected from lawsuits. A key provision in CISA is the complete elimination of liability for companies that share data. Last week, U.S. Senator Rand Paul warned, “It makes your privacy agreement not worth the paper it’s written on.”
There’s yet another issue. Jonathan Mayer, a computer scientist and lawyer with expertise on national security, is worried that if a hacker steals a database of Americans’ private information from a company, the NSA gets to keep that.
But a former senior U.S. official told CNNMoney that NSA already grabs stolen data in its mission to protect the United States from hackers. And it has rules in place to minimize the effect on peoples’ privacy.
“Would it give our spy agencies greater visibility? Definitely. That’s the point,” the official said.
The Senate is scheduled to vote on CISA on Tuesday, then, if it passes, it would merge with a similar House bill, get voted on again and head to President Obama’s desk.
This kind of cybersecurity policy is a long time coming. CISA (and similar bills that have failed twice in the past) stem from the recommendations of President Bush’s commission on cybersecurity.