By Richard Levick
It’s one of those events where the major issues of our day get writ large even as so many sundry devils lurk in the details. Last December President Obama signed into law new cybersecurity measures that included the Cyber Security Information Sharing Act (CISA). The legislation, motored in Congress by concern over the high-profile breaches at Target, Home Depot, the Office of Personnel Management, and elsewhere, incentivizes private industry to share cyber threat information with the Department of Homeland Security by providing liability protections, as well as trade secret protections, for participating businesses. No charges or actions (including antitrust actions) can be brought against businesses based on specific activities authorized by CISA, while CISA also exempts shared information from FOIA disclosures.
The data to be electronically shared includes malicious computer codes, security vulnerabilities, specific damages caused by past incidents, and procedures undertaken to interdict or mitigate known or suspected threats. Additional information for sharing will be identified by the government in the coming months. Importantly, participating businesses must remove all personal information before sending it to DHS.
While the guarantees of protection to participating companies are legally mandated and purportedly inviolable, privacy advocates and some business interests are still wary. Among the criticisms now percolating:
First, it’s been observed that CISA proponents cannot actually point to a single recent breach, high-profile or otherwise, that this program would definitely have prevented.
Second, protections extend to companies that share information with the Department of Homeland Security – but there’s the concern that DHS could then provide data to other entities like the NSA, which, as you may recall, aren’t always reliably committed to privacy rights under any circumstances.
Third, companies may feel compelled to participate in the CISA sharing program because, if they don’t, they can miss out on potentially valuable cyber threat information that their competitors – who do participate – openly exchange and benefit from. As such, there is at least some de facto coercion to participate.
Conversely, there is the concern that participating companies have about their own data being protected. “As forthcoming guidelines are issued, we will know more about the risk of a participant’s information falling into the hands of a competitor,” says Jo Cicchetti, co-chair of the Data Privacy and Cybersecurity Task Force at Carlton Fields. “It is worth noting, however, that, along with protections for trade secrets and intellectual property rights, CISA permits an entity that shares information under the Act to designate such information as the commercial, financial, and proprietary information of that entity.”
Its reservations notwithstanding, “the private sector has long clamored for the types of protections provided by CISA. The Chamber of Commerce, for one, supported passage of the bill,” according to Joseph Swanson, also Data Privacy and Cybersecurity Task Force co-chair at Carlton Fields. Indeed, businesses in certain sectors are already actively involved in Information Sharing and Analysis Centers (“ISACs”); CISA explicitly does not limit or modify such existing information-sharing relationships, nor does it prohibit new ones. But it does represent a critical next step as this is the first time such a broad digital information-sharing process, albeit voluntary, has become the law of the land.
Given the level of marketplace demand for a beneficial public/private partnership, “we expect that many businesses will react positively to passage of CISA,” says Swanson.
No doubt the debate as new guidelines are rolled out will be especially critical to those specific industries that have much to gain by participating or possibly much to lose if they don’t. (Swanson points out that some of those industries, such as utilities, healthcare, and financial services, already maintain ISACs to track cyber threat indicators and share information regarding defenses.)
For instance, CISA has certainly led to much discussion within the healthcare sector, which is not surprising since a separate section of the bill deals directly with that industry. This section mandates an industry task force focused on healthcare security issues and calls for a plan to ensure a single source of practicable threat-related data, available at no cost to all healthcare organizations. The attractions of such an accessible resource, and potentially of many other initiatives mandated or inspired by CISA, could prove irresistible to industry members.
Actually, every industry has a dog in the fight, and not just to keep their data secure. There’s a real brand and reputational challenge at hand. “CISA’s passage may contribute to an expectation by customers, employees, and the plaintiffs’ bar that companies will, in fact, share and act on received information in an effort to stave off cyber-attacks,” says Cicchetti. “Where a company does not engage in information-sharing under CISA, or fails to respond to information it receives, and that company later experiences a breach, critics – and litigants – armed with the benefit of hindsight, may use that company’s inaction against it.”
Such challenges for business only underscore the importance of the next several months, during which federal agencies will be tasked to develop further guidelines and logistics. To do so effectively, these agencies must prepare to respond to each and every concern raised by the privacy mavens. Therein may lie the real historical significance of CISA.
After all, there’s a larger debate going on in our world, which hinges around the equally compelling priorities of security and privacy; of our survival as a society, and of the basic human rights that make surviving worth the bother. CISA in and of itself will not, of course, resolve those mega-issues, yet it does at least provide one more opportunity to thrash out the issues, to find workable common ground among competing interests, and to begin to define best practices that can keep us both freer and safer.
Considering the passions that drive the discussion from both the security and privacy directions, I am not overly confident that that ground will soon be reached. But every honest conversation gets us one baby step closer.