The latest clash in the cybersecurity vs. privacy debate played itself out in Congress on Tuesday when the Senate passed the Cybersecurity Information Sharing Act. Supporters say the bill, approved 74-21, will help stop hackers by getting companies that have been breached to share information about the embarrassing attack with federal law enforcement. The House passed its version in April.
But CISA is very controversial. While proponents call it common sense, critics say it's just an excuse for intelligence officials to grab data on citizens without a warrant.
Before we get to the controversy, what is the bill supposed to do?
According to supporters, there's a big problem: an information gap. When hackers hit a private company, that company is handcuffed or tongue-tied. It can't readily tell people outside its legal walls what happened, what suspicious Internet — IP — addresses or malware code hit it. So other potential targets can't defend themselves.
Supporters say CISA changes that by letting companies share "cyber threat indicators" with the Department of Homeland Security, which in turn can send out the red alert, share the code and warn others.
So that doesn't happen right now?
Well actually, it does. There are existing initiatives, coordinated by Homeland Security and the National Institute of Standards and Technology, to share threat information. There are also subscription services in the private market.
This bill creates a new pipeline. Homeland Security has to share the company's report — which may include customers' personally identifiable information — with the National Security Agency and other spy agencies.
The Senate bill is coming out of the Intelligence Committee, not the Commerce Committee. It had many amendments. One that failed Tuesday would have required the removal of personally identifiable information before a company shares information about threats.
Is privacy the main criticism?
Privacy is a huge issue. Tech giants, which have to rebuild trust with users following the Edward Snowden leaks, have come out against the bill for that reason.
Though another concern is simply effectiveness — or ineffectiveness. There's a technical problem. Many companies don't realize they've been attacked, either because they're not investing in services to identify breaches or they're not reading the data they've collected. According to a breach report by Verizon, this lag in detection is "one of the primary challenges to the security industry."
Lawmakers could have focused on creating mandatory cybersecurity standards for companies, to encourage the firms to invest more in data security. A group of professors who teach cyber law and cybersecurity — and oppose CISA — say in a statement:
"Rather than encouraging companies to increase their own cybersecurity standards, CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network. CISA creates new law in the wrong places."
Does the bill require information-sharing?
No. Cooperation is voluntary. But there's a nice incentive built in. Say a company shares too much about its users or customers. The bill eliminates legal liability, so the company can be shielded from private lawsuits and antitrust laws.
This isn't the first time we've heard about an information-sharing bill to stop hackers. Another failed in 2012. What's different?
CISA comes at a different time, politically.
Back when Democrats controlled the Senate, they blocked a bill with a similar acronym — CISPA (the Cyber Intelligence Sharing and Protection Act) — that had the same thrust. Now Republicans control the Senate.
And on President Obama's watch, we've had megabreaches like Sony and the federal Office of Personnel Management. He feels pressure to do something. Five days ago, the White House came out in support of the latest bill, saying in a memo that it's an "important building block."
RENEE MONTAGNE, HOST:
And the U.S. Senate has passed a cyber-security bill that could stop hackers, but also raises privacy concerns. The vote was 74-21, which shows strong bipartisan support. The House already passed its own bill last spring, and President Obama has indicated he'll sign the measure. Here to talk about it is NPR's technology reporter, Aarti Shahani. Good morning.
AARTI SHAHANI, BYLINE: Good morning.
MONTAGNE: What exactly does the bill do?
SHAHANI: Well, it's called the Cyber Security Information Sharing Act, or CISA, and it encourages private companies to tell the federal government when they've been hit by hackers. A breached company would give details about the attack - what Internet addresses it came from, the malicious software used and possibly the personal information of customers - over to Homeland security. That agency would give a red alert to other companies who may be targeted next and also pass along all that information to the National Security Agency. One amendment to the bill, which would have required the removal of personally identifiable information, that failed to pass yesterday.
MONTAGNE: Well, and of course, anything that has to do with lots of information being passed on to entities is controversial these days. Who likes CISA and who doesn't?
SHAHANI: Well, there are many supporters, obviously. Among lawmakers, there's been this really urgent feeling that we've got to do something about the hackers. And it's not just because of corporate breaches like Sony Pictures. When the Office of Personnel Management was hit, government workers hit, you know, that really hit home. But privacy is a sticking point. Critics, including tech giants like Apple, Twitter and LinkedIn, they've come out against the bill, saying it doesn't do enough to protect customers and users. And some critics go as far as to say it's a grab by the intelligence community.
MONTAGNE: Well, not the White House, which has called the Senate bill an important building block. Is it?
SHAHANI: Information sharing is voluntary under CISA. And other voluntary initiatives already exist in banking, retail, critical infrastructure. You know, the problem for companies is it can be really embarrassing to share that a breach has happened. It can have financial implications, hit the stock. So lots of companies don't want to do it because, you know, what are they going to get out of it? CISA offers liability protection. So say you hand over too much customer information, you can be protected from lawsuits. But experts I've interviewed say that that doesn't do much to change the corporate calculation, the incentive structure. Lawmakers could have focused on clarifying big, looming questions in cyber security like, for example, who's liable when software fails? A group of cyber security professors and lawyers, they said in a statement that CISA creates new law in the wrong places.
MONTAGNE: And just finally, this isn't the first time we've heard about an information-sharing bill to stop hackers. There was one that failed back in 2012. What is the difference here?
SHAHANI: Well, CISA comes at a different time, politically. Back then, Democrats controlled the Senate, and they blocked a bill with a similar acronym, CISPA - the Cyber Intelligence Sharing and Protection Act. Now, Republicans control the Senate, and we're all tired of being hacked. So there's more of a popular impetus, and both sides feel the need to do something.
MONTAGNE: That's NPR's technology reporter, Aarti Shahani. Thanks very much.
SHAHANI: Thank you. Transcript provided by NPR, Copyright NPR.