The economic impact of cybercrime is enormous and grows greater every year. As ever more of our economy moves online, combatting cybercrime has become a significant concern for web hosting companies, internet giants like Google and Twitter, and the government. CISA (Cybersecurity Information Sharing Act) is intended to go some way toward fighting the criminals, but it is subject to countless criticisms, not least from leading internet companies, security experts, and privacy advocates.
In a nutshell, CISA is intended to allow companies to share threat data with other companies and with government agencies. In theory, this is a good idea — if companies are able to access a database of current threats, they’re more likely to be able to close vulnerabilities and mitigate the impact of attacks. As things stand, companies are often motivated to keep quiet about attacks against their infrastructure and software, which makes it difficult to mount any co-ordinated effort to combat online crime.
However, the CISA bill in its current form is opposed by countless organizations, including Google, Apple, DropBox, and many more.
Their complaints revolve around three main concerns.
Firstly, CISA does nothing to actually improve security. It is focused on information sharing, but it imposes no penalties on companies with lax security. It does nothing to motivate companies with weak data protections to improve their security.
Secondly, any threat database is likely to contain far more false positives than genuinely useful intelligence about threats. As security expert Robert Graham points out:
“If we had seen the information from the Sony hackers ahead of time, we still wouldn’t have been able to pick it out from the other information we were getting,”
Thirdly, because the bill does little to improve cybersecurity and includes lax provisions for the protection of privacy, CISA is viewed by many as a surveillance bill rather than a cybersecurity bill. CISA overrides existing privacy laws in the name of improving cybersecurity, and although it contains what amounts to minimal privacy protections, in practice it is believed that it will open a floodgate of sensitive and private information moving from corporations to the Government.
Web services companies like Apple, Google, Dropbox, and Twitter, as well as web hosting companies and other online service providers, depend on the trust of their users — without that trust they couldn’t function. Many are opposed to CISA because they believe it strikes the wrong balance between security and privacy. While sharing threat data may improve the security landscape, the subsequent erosion of user privacy is too bitter a pill to swallow for companies whose bottom line depends on user trust. This is especially true for companies that sell into international markets who have already been burned by reactions to broad surveillance initiatives. Apple’s Tim Cook, who is strongly opposed to CISA in its current form, says:
We don’t support the current CISA proposal. The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
It’s worth noting that CISA doesn’t compel web hosting companies to share information, but there is a worry that companies without a strong history of respect for user privacy will use CISA to share data that could breach user privacy. In fact, CISA advocates explicitly claim that current privacy laws prevent the efficient sharing of threat information, so it’s entirely likely that CISA will be used to share data that would otherwise have been prohibited.
In short, CISA is a backdoor to existing privacy laws and is unlikely to motivate organizations with lax security and privacy protections to do any better in the future.