Congress Pushes Revamped CISPA

Congress Pushes Revamped CISPA

It seems as if the US Congress is back in the business of making “powerful friends” again. By friends, I mean enemies. This time, it is via the Cybersecurity Information Sharing Act or CISA (not the ISACA certification) found here. Effectively, Congress Pushes Revamped CISPA. Here is an excerpt from the act:

(Sec. 3) Requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote: (1) the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; (2) the sharing of unclassified indicators with the public; and (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects.

Requires notification to be provided to entities when the federal government has shared indicators in error or in contravention of law.

Directs the DNI to submit such procedures to Congress within 60 days after enactment of this Act.

Apple and Dropbox are two of these enemies. Per The Washington Post, Apple had this to say: “‘We don’t support the current CISA proposal,’ Apple said in a statement. ‘The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.'” The Business Insider has a good summary as to why companies are against this bill:

It’s intended to help facilitate the sharing of companies’ data with the US government in order to prevent and tackle crime. If passed, a US citizen wouldn’t be able to sue Google, say, using privacy/antitrust laws for passing on their data to US law enforcement. It also provides immunity from the Freedom of Information Act, making it difficult to someone to find out exactly what information (if any) has been shared with the government.

Decide the Future has a scorecard of companies both for and against CISA (and other similar laws over the years). Here are some notable supporters and opposition:

  • Oppose CISA
    • Twitter
    • Wikipedia
    • Salesforce
    • Apple
    • DropBox
    • Google
    • Yahoo
  • Support CISA
    • Cisco
    • Facebook
    • T-Mobile
    • LinkedIn
    • HP
    • IBM
    • Comcast

Privacy Group, the Electronic Frontier Foundation or EFF have petitions and information pages opposing CISA here and here.

Our Analysis

Based on the information that I was able to find, this seems a little Orwellian for my taste. I am all for government and private businesses sharing cybersecurity information, especially in the wake of high profile breaches (below). The problem is that they should be able to opt-in or opt-out without government intervention, coercion, or legislative bullying. I further echo the sentiments of Apple in terms of customer trust. Combine this with the NSA decrypting 1024-bit Diffie-Hellman Key Exchange and Government attempts to compel cryptographers to give them a back door and there is no such thing as security or personal privacy from the government.

I typically take a more pro-government stance in these scenarios, but this is over reach. People have a reasonable expectation of privacy. People should not fear that their government is spying on them without rhyme, reason, or cause. Either the lawmakers are really trying to go to an Orwellian model as in 1984, or they have some sponsors have ulterior motives and something to gain. I am not sure why this is passing so quietly. I will be personally following this. If interested, please subscribe to stay in the loop.

Other High Profile Breaches:

Experian (includes T-Mobile)
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.


Cybersecurity Information Sharing Act (CISA)
The Washington Post
The Business Insider
Decide the Future
Electronic Frontier Foundation

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.