The U.S. Congress has just given its nod to the cybersecurity legislation long held as the government’s solution to the ever growing cyber threat landscape.
The passage of Cybersecurity Information Sharing Act into law is but only part of the ongoing battle between privacy advocates and proponents of the notion that in order to combat sophisticated threats and/or mitigate their impact, information must be shared between the private sector and government agencies.
While the cause is commendable, the means could not be so, staunch defenders of privacy say.
Under the law, companies that have been hit with a cyber attack is required to share threat intelligence with authorities conducting the investigation in order to reduce the severity of a data breach. Threat intelligence includes personal details of customers affected by the attack.
Critics of the law, however, have long raised suspicion on the legislation, saying it will only institutionalize the government’s efforts to spy on its citizens under its mass surveillance program. That means authorizing the government to obtain your most sensitive information even without your consent.
To be fair, let us hear the argument of the Act’s proponents. They say information gap had been presenting a tremendous challenge to the government’s effort to help address a cyber attack until now.
Before, when an organization suffered from any forms of attack, the company would be reluctant to disclose information to the investigation panel. Details about what happened and other necessary information would be off-limit even from the government whose only intention, they say, was to help.
With the cybersecurity law, companies will allow the Department of Homeland Security to gain access to what they call cyber threat indicators that will be disseminated to other potential targets of the attack, thereby preventing the same attack from happening again.
But the law seems unnecessary because DHS and the National Institute of Standards and Technology already have released a cybersecurity framework by which the government’s cyber personnel operate with a clear view on how to respond to an attack incident involving any organization.
The only thing that’s new with CISA is the provision that says DHS must share the threat intelligence including personally identifiable information of customers with the National Security Agency so that appropriate actions could be taken to stop further cyber attacks.
So privacy is really the chunk of the issue with CISA, and companies are weary that they might lose credibility as far as their customers view them when customer data are leaked.
Do you think the new cyber law can protect individuals and the private sector? Tell us what you think about it in the comments below.