A new bill called the Cybersecurity Information Sharing Act (CISA) was passed by the Senate on Tuesday. Its main goal is to stop hackers by getting companies to share information with the federal government about any cyber attacks they face. Basically, CISA works by works by letting companies share “cyber threat indicators” with the Department of Homeland Security, which then sends out a red alert to warn other people of the threat.
You may be thinking: Don’t companies already have initiatives in place to share threat information? Yes. But what makes CISA different is that Homeland Security can now share the report with the National Security Agency and other spy agencies.
One huge concern is that nowhere in the bill does it say customers’ personally identifiable information has to be left out of the report. In fact, of the countless amendments made to the bill, one necessary amendment that actually failed on Tuesday would have made it mandatory to remove that information before a company could share information about threats.
Here’s another catch: Although a company’s cooperation in sharing information is voluntary, the bill gives companies a nice incentive to do so by eliminating legal liability. For example, if a company ends up sharing too much information about its customers, it won’t have to worry about private lawsuits or antitrust laws.
CISA opposers believe that the bill ignores the goal of encouraging companies to increase their cybersecurity standards and puts more responsibility on a “generalized public-private secret information sharing network.” In other words, opponents say CISA creates a new law in the wrong places.