It's not the best law ever written, but the Cybersecurity Information Sharing Act could make things a little better.
Almost as an afterthought, a piece of cybersecurity legislation slipped through on the earmark-encrusted, special interest-affirming 2016 spending bill that passed last week. As an instrument of public policy, the bill is a cheesy piece of work. How the parties can take pride in it eludes me. Whatever.
But the cyber provisions will at least start industries on sharing cyber threat information with one another and with their corresponding federal agencies, giving the companies some liability protections — but not protection from antitrust or privacy law violations.
The privacy crowd doesn’t like the bill, with the ACLU, predictably, calling it a “surveillance bill by another name.” The bill does require companies to remove personally identifiable information from data they share with the government, and for the government to scrub it again. But it contains exceptions, such as when the sharing has to do with protecting minors or the cyber threat could impact human life.
No company is forced to share information.
Few disagree on the existence of the cyber threat itself. Just this week it came to light that a hack originating in Iran two years ago compromised systems controlling a dam in New York, a short bike ride from New York City. The 2013 event caught the attention of the White House, according to the Wall Street Journal. A few years ago, a widely distributed video of a test showed how cyber intruders could damage a power turbine. In Germany, hacks of an industrial control system caused damage to a blast furnace at a steel mill.
RSA president Amit Yoran — an early Homeland Security Department cyber official — predicts industrial control systems will be pushed to the breaking point, especially as they incorporate increasing numbers of connected and automated sensors. This is the dark side of the Internet of Things — evil things. Yoran says intrusions into such systems have jumped by 17 times in the last three years.
Cloud applications and the companies that host them are almost certainly drawing more unwanted attentions, Yoran and other cyber experts say. If banks are where the money is, cloud data centers are where the critical applications and data increasingly go. Federal agencies and companies alike need to include cloud providers in their risk mitigation plans. Especially as DoD takes a closer look at how contractors protect its information, and information related to platforms companies are building. I hope cloud providers become vigorous threat information sharers.
For the past several years, cyber practitioners have said attack motivation had advanced from simple embarrassment to financial gain. Now a variety of motivations exist. You can add physical disruption, espionage and political point-making to the bouquet.
For now, the Cybersecurity Information Sharing Act gives Homeland Security the job of creating a sharing mechanism, publishing rules for how to use it, and determining over a year whether it functions well. DHS and the Justice Department have to come with detailed rulemaking on the privacy functions for data sharing.
Laws are never perfect. The most one can hope for is that when finally enacted, a law makes a situation better instead of worse. CISA squeaks by.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED