Vote CISA

By Dave Oxner

Last week, Congress departed Washington for summer recess leaving critically important cybersecurity information-sharing legislation on their desks. The Cybersecurity Information Sharing Act (CISA) of 2015, otherwise known as S. 754, is a bipartisan measure which would provide laws that will enable the private sector to better protect American consumers and businesses by sharing critical information about cyber attacks with each other, the government, law enforcement and other institutions.

“We simply cannot wait for the next #cyberattack to get a bill to @POTUS desk” – Bentsen http://t.co/Gr6Ckfqw9t #CISA

— SIFMA (@SIFMA) August 4, 2015

CISA passed the Senate Select Committee on Intelligence in March with broad support from both political parties and stakeholders; the Senate is now expected to vote on the legislation in the fall. A small, but vocal, group of lawmakers and privacy interests is opposing the legislation on the grounds of five popular myths. The Protecting America’s Cyber Networks Coalition, of which SIFMA is a member, debunks them here and encourages lawmakers to move forward to #VOTECISA.

Myth. Fact.

Myth: Shared cyber threat information is broad in scope.

Fact: CISA’s definition of cyber threat indicators (CTIs) is very limited. Businesses and government entities may only share the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims. In the vast majority of cyber incidents, CTIs do not implicate a person’s behavioral, financial, or social information.

Myth: CISA is a surveillance bill.

Fact: CISA does not authorize the government to surveil individuals, such as targeting crimes unrelated to cybersecurity. First, a revised version of CISA eliminates the government’s ability to use CTIs to investigate and prosecute “serious violent felonies”-which is a significant pro-privacy change to the bill.

Second, network “monitoring” conducted by businesses under CISA is limited to cybersecurity purposes, similar to CTIs. Monitoring can only be conducted on a company’s own information systems. Further, monitoring under CISA is not intended to equate the meaning of “monitoring” as used in the context of federal criminal wiretap law or electronic surveillance under the Foreign Intelligence Surveillance Act (FISA). Any other monitoring by companies would require authorization beyond what CISA grants. Third, Senator Dianne Feinstein, a California Democrat, said on the Senate floor on August 5 that CISA is not a surveillance bill, and that the bill was amended several times to address critics’ concerns.

“[CISA] is not a surveillance bill. . . . It gives the Attorney General [and the Secretary of Homeland Security] the obligation to come up with secure guidelines to protect private information. . . . We have taken every step to prevent privacy violations from happening under this bill. Yet there are individuals who still raise that as a major concern. I believe it is bogus. I believe it is a detriment to us in taking this first step to protect our American industries. If we don’t pass it, the thefts are going to go on and on and on.”

Myth: The bill allows companies to use offensive measures or “hack back.”

Fact: CISA does not permit so-called hacking back-companies are not authorized to destroy or render computer systems unusable. The bill ensures that “defensive measures” (DMs) are properly bounded. The managers’ amendment clarifies that companies are not allowed to gain unauthorized access to a computer network.

Myth: CISA does not require businesses to remove personal data from threat indicators.

Fact: CISA contains multiple, overlapping provisions to guard and respect privacy. For example, in those rare instances where an individual’s personal information is embedded within CTIs or defensive measures, CISA calls for public and private entities to remove such personal information unrelated to a cyber threat when sharing CTIs and DMs-and the federal government must do the same.

Myth: Businesses are encouraged to share information with the Department of Defense (DoD) and the National Security Agency (NSA).

Fact: Businesses are not granted liability protection when sharing CTIs with the DoD and the NSA-which preserves the status quo. CTIs that businesses pass on to the federal government must go through the Department of Homeland Security (DHS), which is a civilian entity.

Additional Resources

SIFMA’s Cybersecurity Resource Center
Take Action: Protect America’s Cyber Networks (Protecting America’s Cyber Networks Coalition)

Cybersecurity Webinar: August 12, 2015

Every firm – large or small – has an obligation to be vigilant in our industry’s commitment to cybersecurity. Please join SIFMA and FS-ISAC for a cybersecurity briefing designed specifically for small firms, including discussions on:

The Legislative and Regulatory Landscape
Participating in FS-ISAC’s Broker-Dealer Council
Global Information Sharing and Actionable Intelligence with FS-ISAC

Date: Wednesday, August 12, 2015
Time: 12:00pm EDT

This webinar is open to and free for all FINRA registered and SIFMA Member firms.

Dave Oxner
Managing Director, Federal Government Relations, Federal Government Relations
SIFMA

More News

Type:

SIFMA Statement on FTC Non-Compete Rule Finalized Today

Type:

SIFMA Statement on the Final DOL Fiduciary Rule

Type:

Bloomberg Markets: Basel III Endgame Will Impede Capital Markets