Office of Personnel Management, Sony Pictures Entertainment, Target, Home Depot, JP Morgan, Anthem—the list is long when thinking of cybersecurity breaches. In 2014, breaches went undiscovered for an average of 205 days and 79 percent of hacked companies only discovered they had been breached when informed by a law enforcement agency.
Clearly this is a complex problem that requires a whole-of-government response, but Congress has to provide the legal authorities and protections. Twice before they have tried to pass cybersecurity legislation making it easier for corporations to share cyberthreat information with each other and the government. Each time it has stalled in the Senate.
This week the Senate is scheduled to vote on the Cybersecurity Information Sharing Act of 2015 (CISA) in a third attempt to counter the threat everyone knows needs to be dealt with. The House passed its version of the bill in April.
The issue the Senate is dealing with is how to share cyberthreat information across public and private cyber systems while protecting individual rights to privacy. On one side, strongly supported by industry groups and a broad bipartisan coalition of lawmakers, sharing threat information instantaneously across organizations and domains will allow threats to be detected early and contained, if not defeated.
But businesses—most often the targeted entity—are concerned that sharing information will inevitably mean sharing customers’ personal identifiable information, which opens them to potential customer lawsuits. CISA provides businesses that share cyberthreat information protection from customer lawsuits.
On the other side, supported by a coalition of 39 digital rights and privacy groups and 20 security experts, are concerns the bill will not adequately protect users’ personal information and allows businesses and the government to share more of that data then is necessary to identify or respond to cyberthreats.
The White House supports CISA and the bill was passed out of the Senate Intelligence Committee with a vote of 14-1 back in March. Committee Chairman Richard Burr and Senator Dianne Feinstein, the ranking Democrat, have incorporated in the bill measures that would limit government use of any shared information to investigating and prosecuting cybersecurity crimes. In a speech urging support of the bill, Feinstein stated “This bill is bipartisan. It is narrowly focused, and it puts in place a number of privacy protections”.
Cybersecurity has been a known national vulnerability for several years. This bill will allow the public and private sectors to work together in a coordinated manner to reduce that vulnerability. It may not be perfect, but it moves us forward and adjustments can be made as they become necessary. Without CISA, the full power of the government cannot be brought to bear on this national priority.
Is the third time the charm?
Raymond D. Barrett, Jr.
Simons Center for Interagency Cooperation