 |
| Courtesy of Wikmedia Creative Commons |
The bill would establish a system where companies can share so-called "cyberthreat indicators" with the Department of Homeland Security, done by sharing personal, private business data.
The Senate has been working on CISA for more than six years, Sen. Dianne Feinstein (D-Calif.) said, who co-sponsored the bill.
"This is kind of a new day," Feinstein said. "A way to pass a complicated, somewhat technical bill."
On Oct. 22, the Senate voted 83-14 to close debate on various amendments, moving the bill to Tuesday's vote. Five last-minute privacy-minded amendments were also shot down on Tuesday before the final vote.
Sen. Ron Wyden (D-Ore.) was the leading CISA critic throughout the hours of floor debate Tuesday.
"Increasingly, when Congress just reacts to a technology issue which is all over the news, instead of getting the win-win -- which is more security and more liberty -- Congress ends up with a policy that really doesn't deliver on either count," Wyden said.
Important first step forward, say broad coalition of supporters, including Democrats, Republicans and industry
Proponents include a rare bipartisan coalition of senators, President Barack Obama and many industry groups - particularly the financial sector. JP Morgan Chase, Target, Sony and Home Depot have all suffered significant data breaches in the past three years.
Breached businesses haven't seen their stocks plummet. A Harvard Business Review article noted that "even the most significant recent breaches had very little impact on the company's stock price."
However, that doesn't mean their aren't significant costs for affected businesses. Target, for example, lost about $236 million from breach-related costs and pledged $100 million to upgrade its systems. Research has shown average fallout costs from a breach have increased 11 percent in 2015, up to $6.5 million.Businesses have a strong incentive for the government to look into potential explanations for how these hacks occurred. The government itself also has a self-interest, as more than 22 million people had sensitive information exposed from a July hack of Office of Personnel Management. Feinstein described CISA as an important first step on cybersecurity policy.
Cybersecurity is a uniquely 21st century threat to governments, businesses and ordinary citizens around the world. The ability for hackers to act from anywhere around the world, the increasing complexity of computing systems, and the difficulty of detecting vulnerabilities in security are the main reasons cybersecurity has become one of the biggest problems for the Department of Homeland Security.
CISA could establish additional programs to ones already in place for DHS. Current cybersecurity programs include the National Cybersecurity Protection System, Continuous Diagnostics and Mitigation, the National Cybersecurity and Communications Integration Center and the Federal Information Security Management Act Reporting.
Tech industry and privacy advocates unite in opposition to CISA, claim it misses actual issue
CISA support is far from unanimous. Sen. Ron Wyden (D-Ore.) has been a lead critic, citing privacy concerns as his main worry. Wyden said that CISA encourages large, unspecific dumps of personal data from businesses to governments. "The bill says, with respect to personal data, when in doubt, you can hand it over," Wyden said.
Joining Wyden in Senate opposition are two presidential candidates: Sen. Bernie Sanders (I-Vt.) and Sen. Rand Paul (R-Ky.).
The tech industry has also vocalized their disagreement with CISA. Companies that have released statements against the bill include Apple, Wikimedia, Yelp, Twitter, Dropbox and Reddit among others.
"We don't support the current CISA proposal," Apple said in an Oct. 20 statement. "The trust of our customers means everything to us and we don't believe security should come at the expense of our privacy."
Going beyond privacy concerns, national security expert Patrick Eddington wrote that there is little to no evidence that "sharing cyber threat indicators" will enhance Internet security.
For example, in the case of the Target breach, hackers were able to get into Target's system through a third-party vendor, a refrigeration company. Even if Target's systems were impenetrable, if outside sources such as third-party vendors have access to sensitive data, the company is still vulnerable to breaches. It is not clear how CISA would handle these types of inter-business relationships.
A Boston Globe editorial said the bill missed the underlying causes of cybersecurity issues, arguing that encrypting data, updating systems and boosting cybersecurity funding would be what actually would help businesses protect themselves from hacks.
The night before the final vote, whistleblower Edward Snowden went on Reddit to explain his opposition and fears over privacy with CISA. "CISA isn't a cybersecurity bill," Snowden wrote. "It's not going to stop any attacks. It's not going to make us any safer. It's a surveillance bill."
The Senate and House of Representatives would need to convene to create one mutually-agreeable version of CISA before sending it to the White House for final approval.
