Recently, Apple stated its opposition to a controversial cybersecurity bill in which initial amendments passed today in the Senate. The Cybersecurity Information Sharing Act (CISA) has been marketed as the most important, comprehensive and viable bipartisan bill tackling cybersecurity [this legislative session]. Previous cyber security-related legislation such as the Cybersecurity Act of 2012 and the Securely Protect Yourself Against Cyber Trespass Act of 2005 never made it out of Congress.
At its base, the CISA bill encourages private companies to share "cyber threat" information with the federal government. According to the bill’s language, it allows information collected by organizations to be passed to state, tribal, or local law enforcement – along with threat indicators in real time to federal agencies. While CISA is strictly voluntary, organizations that opt to participate would receive certain liability protections for acting in accordance to the parameters set forth in the bill. Part of the information-sharing mandate would enable the government to provide participating organizations with classified information about potential threats – and also open channels for private companies to send user data to law enforcement.
Several companies and organizations have expressed concern that sharing user data violates customer privacy. There are no parameters set for permissible uses of information that is shared with the government and other agencies. Mozilla, one critic of the bill as it stands, takes issue the lack of meaningful provisions requiring companies to remove personal information prior to sending it to the government, a condition exacerbated by real-time sharing and data retention.
Apple is not alone in its concern over CISA. Several other tech companies including Salesforce, reddit, Yelp, and Twitter, have also voiced hesitation over the bill’s content. In addition, industry trade groups such as the Computer and Communications Industry Association and the Business Software Alliance are firmly against the bill. In August 2015, even the Department of Homeland Security, designated as one of the primary government stakeholders of CISA, expressed concern that the bill could sweep away “important privacy protections.”
At its core, Section 4 of the bill seems to be the most disconcerting, as it:
“Permits private entities to monitor, and operate defensive measures to detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on: (1) their own information systems; and (2) with authorization and written consent, the information systems of other private or government entities. Authorizes such entities to monitor information that is stored on, processed by, or transiting such monitored systems.”
Some find this language frighteningly ambiguous. In the aftermath of Edward Snowden disclosures that allegedly exposed a mass surveillance effort by the government, a 2014 survey by the Pew Research Center provided these findings:
- 91 percent of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.
- 80 percent of adults “agree” or “strongly agree” that Americans should be concerned about the government’s monitoring of phone calls and Internet communications.
- 64 percent believe the government should do more to regulate advertisers, compared with 34 percent who think the government should not get more involved.
A 2015 Chapman University survey on what Americans fear revealed similar findings. Among the 1,5000 individuals polled, more than 40 percent feared corporate or government tracking of personal information, than over such threats as bio-warfare or economic collapse.
In an effort to quell fears of privacy and surveillance, the Senate did agree on an amendment meant to neutralize concerns by restricting the type of data that companies can share and set up a system to remove personal data it receives under this measure. In a recently published CISA fact sheet, two Senators attempt to debunk the perception that CISA is a surveillance tool benefiting the government. Final outcome of the bill is expected next week and if passed, will move to the House of Representatives for reconciliation.
Despite the semantics under debate, one thing is clear: the United States lacks updated cyber security legislation that reflects the dynamic nature of the cyber threat environment for individuals and organizations. Passing of this bill is a good first step to help guide government policy and ensure a code of conduct between citizens and their government. Even if CISA is not a perfect fit, it is incumbent on citizens to work with our elected officials to ensure that cybersecurity legislation addresses real concerns without impeding individual privacy and security.