The Cybersecurity Information Sharing Act (CISA) has sparked a firestorm in the United States, within the government and private sector, and among internet users. After voting to move the bill forward, the Senate will return to it next week, amidst widespread protest by technology companies and security experts alike. The bill’s opponents claim that it will only serve to broaden the National Security Agency’s surveillance methods and put user privacy at grave risk.
Proponents retort that CISA, which will encourage private companies to share data with the government, will help limit heavy or high-profile cyber attacks. Senators that support the bill say it will allow companies to share information about the cyber threats they detect and deploy defensive measures to protect their networks.
There is a huge disconnect between the two sides. Supporters insist CISA will ultimately protect users by incentivizing companies to turn over information about threats to the government; detractors maintain the bill will open doors for hackers instead of limiting their access. In the meanwhile, Silicon Valley is in a veritable tizzy over how CISA could potentially allow the government to overstep its bounds in terms of gaining access to data through companies’ “back doors.” Apple and Dropbox are two major companies that have stated they do not support CISA, alongside Google and Wikipedia, noting that the bill is a thinly disguised surveillance measure that will do little to protect Americans from hackers.
Indeed, some believe the bill will do just the opposite. The Guardian quotes Oregon Senator Ron Wyden’s comments addressed to President Obama: “There is a saying now in the cybersecurity field, Mr President: if you can’t protect it, don’t collect it. If more personal consumer information flows to the government without strong protections, my view is that’s going to be a prime target for hackers.”
Professor Jean Camp, Director of the Security Informatics Program at Indiana University Bloomington, told Blouin News that cyber security measures should be centered on strengthening networks, and CISA would not achieve that. According to Camp: “It does not matter if this is for spying or industry. What matters if it makes the network more or less resilient. The proposals will make the network less resilient. No market has ever been improved by a lack of transparency combined with immunity to liability.”
Camp noted that, in a basic sense, decreasing privacy decreases security, echoing Wyden’s point. “Creating more copies of information and distributing it widely does not make it more secure,” she points out. Camp added that the conflict here is between “badly designed legislation versus security and privacy, rather than a conflict between security and privacy.”
Another conflict is visible: the urgent need to strengthen networks against cyber attacks versus the time it would take to actually do that. Some think it’s too late.
Jody Westby, CEO of Global Cyber Risk LLP, said at the Blouin Creative Leadership Summit last month that the bad guys have won. While she emphasized the need for the private and public sectors to work together, she also noted that cyber criminals are advanced on an international level. For example, some hackers investigate cyber crime laws in every country, and choose to operate in those with slack measures.
While CISA supporters have openly acknowledged that the bill will not be a “silver bullet,” it’s better than nothing. And yet, opponents think it’s worse than nothing. If anything, at least the fiery debate over CISA is fueling a conversation about the cyber-protective needs of the U.S. going forward.