Over the past few years, the federal government and big corporations, including Sony and Target, have been hit by massive data breaches, a chilling reminder of the severity and scope of cybersecurity threats. Congress offered much bark and little bite in response until Thursday, when the Senate voted 83-14 to end debate on the Cybersecurity Information Sharing Act (CISA). Now the bill will move to the Senate floor and is expected to pass next week, despite opposition from Massachusetts senators Elizabeth Warren and Ed Markey, and from civil rights advocates.
The information shared by CISA would consist primarily of “threat indicators,” data that get exchanged between government agencies and big companies. The government can ideally use these indicators to respond more effectively to cybersecurity threats across the country. But crucial questions remain as to whether CISA offers meaningful protection to citizens. The bill would allow substantial amounts of data to be shared in bulk between companies and agencies, with insufficient, vague requirements on removing personal information. As Senator Ron Wyden, an Oregon Democrat, put it on the Senate floor, “This bill says, with respect to personal data, when in doubt, you can hand it over.”
Tech companies including Twitter, Reddit, Dropbox, and Apple have added their voices to the fray. Earlier this year, Apple refused to offer the government “back door” access into their encrypted devices, and asserted in a statement on CISA that “we don’t believe security should come at the expense of [customer] privacy.” Besides calling out privacy concerns, Apple and other tech giants must protect their business. International customers don’t want their data shared with the US government — and The New York Times reports that 64 percent of Apple’s revenue now originates outside the United States.
As the legislation moves toward a Senate vote, CISA in its current form needs improvements. Perhaps most important, the Senate must answer whether this bill resolves the chronic conditions afflicting America’s security network: unencrypted data, out-of-date systems, unprotected user access, and widespread underfunding. Sharing information can certainly be a valuable tool, but it shouldn’t be mistaken for the systemic upgrades that would demonstrate a genuine national commitment to cybersecurity.