The US Senate recently passed the Cybersecurity Information Sharing Act - or CISA - by a wide 74-21 margin.
The Senate vote in favor of CISA, came after multiple attempts spanning five years to pass similar legislation under different names. The bill also drew on the highly controversial "cyber" legislation before it: SOPA and PIPA.
Some of the tech companies that have raised concerns about CISA include Google, Apple, Microsoft and Oracle. But CISA sponsor Senator Richard Burr addressed those companies ahead of the vote, saying "Do not try to stop this legislation and put us in a situation in that we ignore the fact that cyber attacks are going to happen with greater frequency for more individuals, and that the sooner we learn how to defend our systems, the better off personal data is in the United States of America."
The stated purpose of CISA is to allow companies to share information in real time about perceived hacking threats, but critics of the bill warn it's a legal framework for mass surveillance in cybersecurity clothing.
We recently spoke with Richard Parris, CEO of cybersecurity firm Intercede, who emphasizes the need to balance security and privacy moving forward especially among digital natives.
Don’t we already have public distrust of how our data is handled? Would passage of this legislation really change that?
It’s true there is already public distrust towards government data practices – a quarter of Millennials feel the government is already accessing their data with or without their consent. The issue here comes down to what happens if that distrust grows? While the bill may be an attempt to prevent network security breaches, the potential infringements on data privacy could result in a greater backlash. In fact, forty-four percent of Millennials predict a decline in data sharing and a significant portion theorize a decline in economic and political stability if businesses and governments fail to protect online identifying data. The government should heed these figures as a warning – while network security is important, citizens do not want to see their individual data privacy compromised, the bill needs to strike a balance between the two.
Would amendments or ways to “soften” it, help acceptance of the legislation? Or would it be too harmful to it?
Initially there were several amendments that were considered. Some passed, some were defeated. Many dealt with whom in the government would be on-point to coordinate and disseminate the data, while others addressed the issue of securing individual's privacy. It comes down to who has access to see personal identifying data and who doesn’t. The government has long tried to approach these types of concerns by targeting different levels of access rather than enabling individualized access. It’s a case of proper identity management, who should have access to see vital personal data and who should not. The bill needs to show a commitment to truly protecting personal information from prying eyes that really have no place having access to it in the first place.
If the bill doesn’t become law, what could be the repercussions?
The bill hasn't become law yet, and there is still a long road before it becomes enacted. The Senate has passed its version, as has The House, and now the two need to be reconciled in a Conference Committee. Chairman Burr, the bill's chief cosponsor in the Senate, has indicated that a compromise bill won't be ready until January – at the earliest. The compromise will then need to pass both the House and Senate before the President can actually sign it into law. Regardless of if this bill does or does not pass, it is putting the issue of cybersecurity front and center. There is recognition that something must be done to prevent the influx of cyberattacks, and until the right safeguards are in place to protect peoples' online data the repercussions that stand to come will echo what we have already seen today: increased network breaches, compromised personal data and a decline in the public’s trust towards government and business.
If the legislation becomes law, what can consumers expect to see?
Senator Feinstein, the bill's primary Democratic sponsor, said yesterday that this bill is a first step to protect the United States from cyberattacks - indicating that future legislation will focus on data security and safeguarding critical infrastructure from cyberattacks. That opens up a whole different conversation about how to secure the growing Internet of Things (IoT) to ensure that, as more and more devices communicate with one another, there are security measures and protections in place that are up to the task. Whether it’s connected cars, smart grids or critical public networks, security stands to continue to be a pivotal part of future legislation as the government looks to create standards for proper streamlined communication protocols.
Beyond this legislation, what else can be done within industry to secure data?
It drills down to investing in – and actually implementing – up to date technology practices. The Federal Government has long had recognized standards that favor enhanced identity management and authentication procedures beyond simple passwords. FIPS 201 is a United States federal government standard that specifies Personal Identity Verification (PIV) requirements for Federal employees and contractors – the provision calls for two-factor authentication and a derived credentials system. The standard was created in 2005 to ensure an added level of security and to deter hacks – the problem has been a lack of understanding about how the use of the PIV card can be extended. One can’t help but wonder if the issue isn’t a need for legislation – but a real need to invest in properly deploying the type of technology that enables users to connect to a network without compromising security or personal data privacy.