The U.S. Senate passed a cybersecurity bill on Tuesday and it is already the subject of great debate. In a 74-21 vote, the Senate was in favor of the Cybersecurity Information Sharing Act (CISA), which promotes the sharing of hacking threats between companies and the government.
Supporters of the bill feel it is important for companies and the government to be in sync when it comes to hackers and cyber threats. Right now, when a private company is attacked, they aren’t legally able to share any detailed information about what exactly happened and how they were affected. With the CISA, they would be able to share the details with the Department of Homeland Security, which could then in turn warn other potential targets. It’s sharing of information to protect the greater good.
However, it’s that sharing of information that isn’t sitting well with a lot of people.
Under the CISA, the Department of Homeland Security would share a company’s breach report with the National Security Agency and other spy agencies. Those reports could include not just information about the security problem, but also customers’ personal information. The program is voluntary for companies, but not for the customers who have their personal data shared in ways they never anticipated.
Some amendments to the bill that would have helped with privacy issues were rejected by the Senate. One failed amendment would have required companies to remove personally identifiable information before sharing a threat report.
IdentityForce agrees with those who oppose the CISA.
“We are disappointed that the Senate passed the Cybersecurity Information Sharing Act in its current form” said Steve Bearak, Chief Executive Officer of IdentityForce. “We agree with the spirt of the CISA, which makes it easier for companies to share information about online threats with each other and with government authorities. However, this bill clearly puts security ahead of privacy — and our subscribers trust us to help them protect their identities and this fundamental right.”
In an article by NPR, an important point is brought up — that lawmakers are focusing on the wrong thing. They should be working on creating mandatory cybersecurity standards for companies, as so many have not invested in services to identify breaches and may never even know they were attacked in the first place. Creating an information sharing network isn’t going to do anything if a vast majority of companies are totally in the dark about keeping their systems and information secure.