United States senators on Tuesday voted 74-21 to approve the Cybersecurity Information Sharing Act (CISA) that would encourage businesses that have been hacked to pass along details of their data breaches to federal law enforcement.
The House passed its version in April after Richard Burr (R-North Carolina) introduced legislation in March and the White House has since backed it, saying in a statement that it’s an “important building block for improving the nation’s cybersecurity.”
But critics, including the Center for Democracy and Technology and the American Civil Liberties Union, have labeled CISA an excuse for the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) to get information on Internet users without a warrant.
The bill, which has had many amendments, “risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of cyber threat indicators for a broad array of law enforcement purposes that have nothing to do with cybersecurity,” Greg Nojeim, a senior counsel at the Center for Democracy and Technology, said in a blog post late last week.
Supporters, however, have disagreed that it will endanger privacy, insisting that real-time sharing “enhances situational awareness” and alerts other potential targets which can then defend themselves.
It’s not an entirely new concept—existing programs coordinated by Homeland Security and the National Institute of Standards and Technology share threat information—but it provides “a focused approach to incentivize” more sharing by shielding cooperating companies from private lawsuits and antitrust laws.
But as Scientific American has pointed out, while CISA outlines how the federal government would share information throughout its various agencies, the bill offers little mention of how the private sector might access it. It’s also voluntary.
Furthermore, its detractors have argued that the real reason hackers are able to steal data is that many companies are relying on outdated defense strategies, such as antivirus software, firewalls and unencrypted files.