What is CISA?

Cybersecurity Information Sharing Act( CISA) of 2015 is a modified bill known as CISPA(Cyber Intelligence Sharing and Protection Act) which failed to pass congress 3 times due to public criticism.

CISA would allow big corporations to share information about cyber threat with the government or each other without fear of being sued.

The controversial bill that is making it's way to becoming law in the US has undergone several revisions and has been met with a lot of criticism. Alas, a version of CISA was passed by the House of Representatives in April of this year, then made more headway towards becoming law on October 22, 2015 as the revised bill advanced in US Senate with support from both parties and the White House. If the bill will pass the Senate vote on Tuesday October 27th – the bill would need to be reconciled before it would get signed into law by the President.

[UPDATE] CISA, renamed Cybersecurity Act of 2015, was quietly added to the federal budget bill on Wednesday December 16th, 2015 with many congressmen failing to read the 2000+ page 'Omnibus' budget bill before voting on December 18th. The bill was passed 316 to 113. Now, that the bill was passed in the federal budget – the presidents signature officially enacts CISA into law.

According to the supporters of the bill, it is a comprehensive step toward securing private data against hackers achieved by having companies share early “cyberthreat indicators” with the Department of Homeland Security. The opposition – groups advocating internet privacy, security and civil liberties believe the bill will cause more problems than it will solve.

List of issues with the proposed CISA bill:

Giving large powers to companies that have access to private data

Internet communication companies like Facebook or Google have access to a lot of private internet user data. CISA would grant such companies the right to monitor and take initiative against any perceived ‘suspicious’ threats. This means the personal data of millions of users would be actively monitored and collected. In turn, the companies would gain immunity to any existing surveillance laws.

CNN reports: Two major tech industry groups that together represent Amazon, Dell, eBay, Facebook, Google, Microsoft, Yahoo and others stand starkly against the bill for privacy reasons. Apple, Salesforce and Twitter have issued statements saying the bill is a bad idea.

The Silicon Valley Giants argue that CISA does not offer any protection or solutions to the cyber attacks they would need to report on, instead it invades their user privacy.

Disclosing private information to the government agencies without warrant

CISA would require the said companies to disclose that data to the government without a warrant. More precisely – ‘real time’ sharing of information would take place.

Information likely shared: could be anything from email content, passwords, IP addresses, or personal information associated with an account.

Recent cybersecurity incidents are used as arguments to push CISA through faster, without thinking of the repercussions.

Earlier this year the hacking scandal of OPM was cited when trying convince the politicians and the public that the US needs to prevent foreign threats online. The problem with this logic is that of false attribution. Instead of fortifying security standards like security protocol enhancement and eduction (i.e. alarming number of OPM accounts used the password ‘password’ to access their accounts) -the focus is on a program that would compromise and expose more data as it is shared.

The companies can initiate countermeasures against ‘perceived threat’.

The companies which would track and monitor internet user data, would gain a significant set of powers with little to no oversight. Also they would not be accountable, unless ‘significant’ harm came to innocent bystander.

It would be difficult to retrieve information about private data collection even under freedom of information act.

All information collected with CISA would be warrantless and exempt from detailed reporting on the data collection and subsequent fate once it was passed on to agencies like FBI, NSA, etc.

The language used in the CISA bill proposal is very vague.

The definitions on terms like “Cybersecurity threat” or “Cyber threat indicators” are so vague that they impose virtually no limitations on what data can be collected and shared.

Considering how earlier this year the Circuit Court of Appeals voted mass surveillance illegal, its disappointing to see the controversial bill becoming law.

The impact of the Cybersecurity Information Sharing Act

While the passing of CISA in 2015, was an attempt to help corporate victims of cyberattacks on a gross scale, data privacy experts remain skeptical. If the data of individuals and business partners can legally be shared with governments, security agencies, and other third-parties, for a vague, broad range of reasons, it could prove fatal to individual privacy and civil liberties.