CISA legislation would lift liability for businesses sharing cyber threat information

Privacy advocates still opposed, some gray areas remain for corporations

A bill that encourages businesses to share threat intelligence with each other and the government is closer to becoming a law than it has been for years now that it offers businesses near immunity from liability if the data they share is stolen and causes harm, but such sharing is still fraught with problems.

The proposed Cybersecurity Information Sharing Act (CISA) proposal doesn’t force anyone to participate in sharing, but it creates incentives for businesses to do so willingly, says Nathan Taylor, a partner in the law firm Morrison & Foerster, who is following the bill as it wends its way through Congress.

The Senate has approved a version of the bill, which must be consolidated with two versions passed already by the House, and then signed by President Obama before it becomes law.

The biggest carrot is protection from liability if the shared information is misused but it was submitted in compliance with the law, which means that personally identifiable information was stripped or an automated system was in place to strip it, Taylor says.

Threat intelligence sharing is considered a good thing by a broad range of security pros who practice it in Information Sharing and Analysis Centers (ISAC) and in informal associations with trusted peers.

But sharing with a central government clearinghouse worries privacy advocates who fear agencies such as the NSA will scoop up the shared data and somehow de-anonymize it, putting at risk the privacy of data businesses were entrusted to keep, says Ari Schwartz, the former White House Senior Director for Cybersecurity, now Managing Director of Cybersecurity Services for Venable.

The Senate-passed version of the bill would put the Department of Homeland Security in charge of creating and maintaining a portal for submission of data, sorting it, deciding what other federal agencies ought to see it and distributing it. DHS is a civilian agency, so was a less divisive choice than, say, the CIA or NSA.

Despite that, if the law passes and keeps intact the liability protections it will make it more difficult for businesses to resist sharing. They couldn’t say the risk of privacy lawsuits is too high because the new law would override privacy laws for cyber-threat information sharing. “It’s harder to say no now,” he says. “You have to give information to get information.”

Heavily regulated telecom and healthcare industries in particular were worried about complying with privacy rules, he says. Yet with major breaches at health care providers this year, the industry could benefit from swapping threat information to identify and head off attacks sooner.

The bill leaves some gray areas. For example, what happens if a service provider monitoring a customer’s network detects cyber threat information? Can it share the information and be protected from liability? “I don’t think the issue is squarely addressed in the bill,” says Taylor. “I don’t think the bill was intended to trump a company’s ability to control its own service providers.”

Tech industry trade groups Computer and Communications Industry Association (CCIA) and the Business Software Alliance (BSA) oppose CISA, saying it lacks privacy assurances and fails to limit the uses to which the information can be put. Apple, Salesforce, Twitter and Reddit are among individual companies opposed. It is supported by the U.S. Chamber of Commerce.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleBSABusiness Software AllianceComputer and Communications Industry AssociationFoersterNSATwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts