US Senate passed the Cybersecurity Information Sharing Act (CISA) bill that is being considered a critical step forward in addressing cyber threats and ensuring tools are in place to deter future cyber-attacks.
The Senate passed the bill by 74-21 votes and now the bill heads for reconciliation with the earlier-passed House cybersecurity bill.
The proponents of the bill said will help prevent cyberattacks by facilitating a common awareness in the cyber realm.
The CISA is a controversial measure to encourage businesses and government agencies to share information related to malicious hackers and their methods.
The main provisions of the bill make it easier for companies to share personal information with the government, especially in cases of cyber security threats. Without requiring such information sharing, the bill creates a system for federal agencies to receive threat information from private companies.
The bill does not provide legal immunity from privacy and antitrust laws to the companies which provide such information.
With respect to privacy, the bill includes provisions for preventing the act of sharing data known to be both personally identifiable and irrelevant to cyber security.
Any personal information which does not get removed during the sharing procedure can be used in a variety of ways. These shared cyber threat indicators can be used to prosecute cyber crimes, but may also be used as evidence for crimes involving physical force.
CISA’s problem had been the liability and privacy concerns that companies expose themselves to when they start handing data—customer records in particular—to the government.
The bill limits companies’ liability in lawsuits, but the Senate voted down measures that would have required businesses and government agencies to at least try to scrub records of data that could be used to identify individuals.
Critics point out that information sharing will do little to prevent successful cyber attacks. In fact, the federal government already has an organization for sharing cybersecurity threat information.
Several privacy advocates and businesses opposed to CISA have pointed out that sharing information about new types of malware, suspicious network activity and other cyber-threat indicators will do little to crack down on cybercrime.
Such information sharing must be combined with implementing encryption, patching outdated software and otherwise bolstering cyber defenses.
The Senate rejected three separate amendments that at least attempted to remove data that could identify individuals before sharing customer information when that information is not necessary to describe or identify a cyber threat.
Another amendment, however, gives participating companies legal protections from antitrust and consumer privacy lawsuits. And the government claims that information it receives will not be used to prosecute non-cyber related crimes