For the government to help the private sector safeguard its critical IT infrastructure from cyber attacks, a cyber data sharing approach is deemed necessary. This lays the foundation for the Cybersecurity Information Sharing Act, which recently passed the Senate. But privacy advocates have a different view of the bill, likening it to the controversial surveillance program of the National Security Agency meant to actually spy on individuals.
The bill is considered an attempt at reviving the now dead Cybersecurity Information Sharing and Protection Act, albeit in another name. But the two have a striking similarity; to allow the U.S. government to collect cyber data from private companies that suffer cyber attack in an effort to identify the scale of damage and mitigate its impact on stakeholders.
At first glance, the legislation might appear benevolent. At a time when cyber attacks against small and large organizations continue to storm the headlines, a strong collaboration between the government and private sector is a matter of life and death.
Comes the CISA bill, which, after two years of deliberation in the Capitol, is now one step closer to becoming a law. However, there are qualms right and left whether the bill would address the enduring demand for a robust cyber protection in place to ward off threats.
For one, critics of the bill claim that it is designed primarily to allow a legal pass for the government to monitor users of the Internet in connivance with private companies. Those critics, including Senator Ron Wyden, claim that is so for many reasons, chief of them being the absence of sufficient privacy protection from the bill.
In other words, the legislation is a surveillance bill, as the critics quip, and not a cybersecurity data sharing bill, as the government would like to declare. True enough, the intention of the bill bodes well for the great majority of Americans, but the way the government intends to enforce it makes you think twice about trusting your service provider once the bill is enacted.
One noticeable provision of CISA is the mandatory submission of personal data to the federal government in cases where it is critical to “show the cyber attack.” But it is not clear how severe a cyber should be in order to permit that sharing of data, although the government likes to say it does not allow companies to share information with the government if there’s no need for it.
The sharing of cyber data, according to privacy critics, is actually beyond the relevant cyber intelligence. Corporate data is also at risk, in the name of fighting what the government deems as potential terrorism and threat. Again, it is unclear how the government would categorize something as threat. And so there’s the risk that instead of protecting your personal data, it would only end up being exposed to third parties, including the government.