Congress passes controversial Cybersecurity Act

The Cybersecurity Act of 2015, signed into law by President Obama on December 18 as part 2016’s $1.1 trillion omnibus spending bill, subtly differs from the Cybersecurity Information Sharing Act (CISA) that preceded it.

Cybersecurity Act of 2015 v Cybersecurity Information Sharing Act (CISA)

The major differences between The Cybersecurity Act and CISA include:

  • An expansion of prohibitions on the regulation of “the lawful activity of any non-Federal entity or any activity taken by a non-Federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator” by “State, tribal, or local government”. (Sections 104 and 105.)
  • A provision allowing the President to “designate an appropriate Federal entity, other than the Department of Defense (including the National Security Agency), to develop and implement a capability and process” to accept cyber threat indicators from non-federal entities in addition to the capability and process developed by the Secretary of Homeland Security, at least 30 days after having explained to Congress why this is necessary. (Section 105.)
  • An expansion of Section 106 on protection from liability – the reference to “gross negligence or willful misconduct” having been removed – and the addition of the statement that nothing in Title I shall be construed to create “a duty to share a cyber threat indicator or defensive measure” or a “duty to warn or act based on the receipt of a cyber threat indicator or defensive measure”, or “to undermine or limit the availability of otherwise applicable common law or statutory defenses.”
  • The addition of a subsection of Section 108 on construction and preemption stating that nothing in Title I “shall be construed to prevent the disclosure of a cyber threat indicator or defensive measure shared under this title in a case of criminal prosecution, when an applicable provision of Federal, State, tribal, or local law requires disclosure in such case.”
  • A ten-year sunset provision applying to Title I, “ending on September 30, 2025.” (The ten-year effective period applied to the whole of CISA, not just Title I.)
  • The addition to Title II of Subtitle A (National Cybersecurity and Communications Integration Center), which expands on the functions of the center as previously covered by the Homeland Security Act of 2002.
  • The modification of Subtitle B (Federal Cybersecurity Enhancement) of Title II to limit the disclosure of network traffic to agencies other than the Department of Homeland Security by private entities participating in the Federal Intrusion and Protection System. (Section 223.)

Share resources, minimize the threat

The Act has been beset by controversy since its inception. To some, it’s entirely sensible that private companies and government agencies should share information to prevent cyber attacks. Indeed, President Obama commented during last February’s White House Cybersecurity Summit at Stanford University that there was “only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners.”

Surveillance bill

To others – including academics and a large number of prominent tech firms – it represents an indefensible legitimization of state surveillance and an erosion of privacy rights, especially as proposed amendments that would have forced companies to remove personally identifiable information before handing relevant data to the government were voted down by the Senate before the bill was passed.

According to the Washington Post, Apple, Dropbox, Yelp, Reddit, Twitter, and the Wikimedia Foundation “have all said that they oppose CISA [and other] Silicon Valley firms including Google, Facebook and Yahoo have voiced their concerns about the bill through a trade group that represents them in Washington called the Computer and Communications Industry Association.”

CCIA explains that “CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.”

Doing the wrong thing for the right reason?

Ron Wyden (D-OR), one of the 21 senators who opposed the bill last October, said that the tech companies’ opposition showed that there were problems with the bill, commenting before the vote: “Sharing information about cybersecurity threats is a worthy goal. […] Yet if you share more information without strong privacy protections, millions of Americans will say, ‘That is not a cybersecurity bill. It is a surveillance bill.’“

However, Senator Dianne Feinstein (D-CA), one of the bill’s sponsors, said: “If you don’t like the bill, you don’t have to do it. […] But there are companies by the hundreds if not thousands that want to participate in this.” Co-sponsor Richard Burr (R-NC) even issued a press release to debunk ‘myths’ about CISA.

Whatever your opinion of the Act, US companies will now have to work together to share cyber threat information.

Threat sharing and knowing your risks

Some would argue that threat sharing has occurred for a long time already, as the vast majority of cyber crime relies on known weaknesses. Verizon’s 2015 Data Breach Investigations Report found that over 90% of attacks exploited vulnerabilities for which patches were already available: “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 — a gap of almost eight years.”

Making sure you close your security gaps and fix vulnerabilities as soon as they are known is essential to keeping your networks secure and your corporate information safe, which is why regular penetration testing is so important.