NCTA: CISA a Safeguard, Not Surveillance

The following is an edited excerpt from an Oct. 7 National Cable & Telecommunications Association blog post.

After months of discussion and hard work, the Senate appears set to move forward with the Cybersecurity Information Sharing Act of 2015 (commonly known as CISA).

In short, CISA is a law that would allow companies to share cyber-threat information with each other, and electronically with a civilian government portal at the Department of Homeland Security (DHS), to mitigate and prevent cyber attacks.

A law like CISA is born out of necessity. Last year, cybersecurity company Symantec reported that more than 348 million identities were stolen, and 46% of Americans were exposed through these data breaches.

The Center for Strategic and International Studies (CSIS) estimates the annual cost of cybercrime tops $400 billion and results in a loss of as many as 200,000 jobs. CISA is designed to not only guard the companies targeted by cyber attacks, but also protect individuals who depend on those companies to secure their personal data.

Needless to say, a cybersecurity bill of this stature and relevance has been met with both spirited support and concerned opposition over three Congresses. Many of the apprehensions — especially those regarding individual privacy and civil liberties — have been heard, and important changes have been made to the bill to ensure it can in no way be misused as a “surveillance” bill.

Its scope is extremely narrow and specifically aimed at protecting businesses, individuals and critical Internet infrastructure from malicious cyber attacks. It does this by allowing companies to share cyber- threat indicators, or CTIs, with other companies and the DHS portal in real time through a mandated, automated process.

Knowledge sharing like this has the obvious benefit of potentially identifying and stopping the DDOS [Distributed Denial of Service] attackers, but it also helps prevent similar attacks in the future by allowing businesses to identify exposures and take protective measures before an attack happens. Plus, in some cases CISA protects the companies that share data from lawsuits lobbed at them for having appropriately shared data in the first place.

CISA cannot be used by government agencies to investigate and prosecute “serious violent felonies” — which was a significant pro-privacy change to the bill. CISA cannot be used to “hack back.” So, as a defensive measure, companies are not allowed to destroy or render other computer systems unusable. And CISA liability protections cannot be used when sharing CTIs with the Department of Defense or the NSA — only with DHS.

In short, the bill writers have worked diligently to address the concerns of privacy and civil liberties organizations.

CISA passed the Senate Select Committee on Intelligence in March with broad support from both political parties and industry. CISA represents a workable compromise among many stakeholders. CISA safeguards privacy and civil liberties; it is not a surveillance bill.