While many technology giants and privacy advocacy groups have been lobbying against a cybersecurity bill passed by the Senate on Tuesday, local cybersecurity experts believe the bill is a step in the right direction for data protection.
The Cybersecurity Information Sharing Act (CISA), is supposed to improve cybersecurity by encouraging companies and the government to share information about threats. It took roughly six years to win approval for such a program.
“In general, it’s certainly well-meaning,” said Jonathan Katz, director of the Maryland Cybersecurity Center at the University of Maryland.
The bill passed by a 74-21 vote with significant support on both sides of the aisle. Among the Maryland delegation, Sen. Barbara Mikulski voted in favor of the bill while Sen. Ben Cardin voted against it.
“I think it’s a great bill. I think it’s important that we share data,” said William D. Penn, president and CEO of Ellicott City-based LarkSpear, which offers its customers a cyber threat-sharing system to help identify security threats before attack happen. “Then others can learn from the misfortunes of other IT systems, their breaches and how they fixed them, and they can leverage that knowledge. Working in a column, in a silo, is a bad way to run a business.”
However, the bill doesn’t outline how companies will share the information and which data, specifically, will be shared.
“People are concerned about the privacy implications of this,” said Katz.
The bill’s co-sponsors, Sens. Dianne Feinstein, D-California, and Richard Burr, R-North Carolina, said the measure was needed to limit high-profile cyberattacks, such as the one on Sony Pictures last year.
“From the beginning we committed to make this bill voluntary, meaning that any company in America, if they, their systems are breached, could choose voluntarily to create the partnership with the federal government. Nobody’s mandated to do it,” Burr said.
Companies would receive legal protections from antitrust and consumer privacy liabilities for participating in the voluntary program.
The Department of Homeland Security has a mechanism to share information but it’s not streamlined, said Katz. That is addressed with this bill, but without placing limits on what personal information, if any, companies will redact before sharing it with the government.
“This bill gives them carte blanche to do that,” said Katz. “In practice it seems like companies will be able to give justification to hand that information over.”
Sen. Ron Wyden, D-Oregon, who opposed the bill, unsuccessfully offered an amendment addressing privacy concerns that would have required companies to make “reasonable efforts” to remove unrelated personal information about their customers before providing the data to the government.
“You just can’t hand it over,” Wyden said. “You’ve got to take affirmative steps, reasonable, affirmative steps, before you share personal information.”
The privacy concerns raised by other companies didn’t concern Penn from LarkSpear, whose background is in government cybersecurity work. “Rest assured, the government is not interested in your activities,” Penn said. “I, personally, would be more concerned about Google and Microsoft knowing more about me than the U.S. government.”
Arthur Olshansky, chief technology officer at Federal Hill Solutions, a Baltimore cybersecurity company, argues that privacy no longer exists because everything is tracked. This bill doesn’t invade people’s privacy any more than before, he said.
“We’re giving up our privacy every day,” said Olshansky. “I think globally, this is kind of an accepted thing. People have to understand that.”
The House passed its version of the bill earlier this year with strong bipartisan support. The two versions of the bill will need to be reconciled before being sent to the White House for the president’s signature. The White House has already expressed support for the bill.
The Associate Press and Daily Record business writer Daniel Leaderman contributed to this story.