It took several tries, but on Tuesday the U.S. Senate approved a measure to help American companies work more closely with law enforcement to fight off hackers.
The Cybersecurity Information Sharing Act (CISA) overwhelmingly passed with a vote of 74 to 21.
Tech companies were suspicious of the bill, but worries that hackers are continuously breaking into companies trumped fears that CISA would expand U.S. government spying on Americans.
CISA must now be merged with two similar bills that have already passed in the House of Representatives before it heads to President Obama’s desk.
The idea behind CISA is to help U.S. companies react more quickly to cyberattacks on their computer systems. If a company gets hit with a specific type of hack, the federal government would receive an alert and immediately distribute warnings to other companies.
Every cyberattack is like a flu virus, and CISA is intended to be a lightning-fast distribution system for the flu vaccine. Opt in, and you get a government shot in minutes, not months.
Currently, industries maintain specialized, military-like “information sharing and analysis centers” to track cyberattacks and collectively develop defenses. Banking has its ISAC. The energy sector has its own too. But they don’t team up.
With CISA, a power plant might learn how to defend itself from a virus that hit a bank — within minutes. All of this is supposed to happen automatically, with computer servers sending constant updates to other computer servers.
CISA would create a single system that sends “cyber threat indicators” — such as samples of malicious computer code — to the Department of Homeland Security. DHS would then feed this data to the FBI, NSA and other government agencies. DHS would also share warnings to every participating American company.
Computer scientists and military experts agree that automatic, immediate sharing helps the nation raise its defenses.
A significant element of the bill is that CISA would eliminate liability for companies, making them immune to lawsuits for sharing too much. Banking, energy, health care, insurance — almost every industry but tech supported the bill.
Several efforts to include additional privacy measures were shot down in the Senate.
However, there are worries that companies in a hurry might not wipe the data enough before law enforcement gets it, expanding how much authorities and spies know about Americans. There’s also concern that this bill gives the FBI another tool to investigate Americans for crimes that have nothing to do with hacking.
To address those concerns, CISA includes privacy guards to ensure that companies wipe customer data before handing it to the government. The bill also subjects government agencies to biannual reviews to make sure that civil liberties will not be violated.
Randy V. Sabett is a former NSA analyst who sat on a cybersecurity committee for President Bush that raised these issues in 2008. He said this an opportunity for America to step up its game against hackers.
“This bill doesn’t do anything except help us defend our companies better,” said Sabett, now an attorney in Washington, D.C.
U.S. government agencies and corporations have come under attack in recent years by hackers from the Chinese, Iranian, Russian governments.
CISA, however, scares privacy advocates who fear companies getting too cozy with law enforcement.
The Obama administration supports CISA overall, and succeeded in pushing for privacy measures to be included in the bill. But just last week, it expressed concerns that CISA would still let too much information be shared with spy agencies and the military.
Some hacking experts say CISA is, in principle, a good idea, but does little to address the actual problem: Companies are lazy and unguarded, and most people don’t know how to act safely online.
“CISA will do very little, if anything, to protect our national cyber-security interests,” said Ben Johnson, a former NSA analyst who now works with cybersecurity firm Bit9.
Ex-NSA contractor Edward Snowden, who exposed widespread spying on Americans and remains in hiding in Russia, criticized CISA. He said the FBI and NSA already collect this kind of hacking data all over the Internet — but CISA would allow them to collect even more directly from companies.