At the end of 2015, the Cybersecurity Information Sharing Act (CISA) was signed into law by President Obama as part of a larger omnibus spending bill. In the years prior to 2015, the US suffered many major cyberattacks including the 2013 Target Corp data breach that leaked the private information of 110 million people and the 2014 cyberattack on the United States’ Office of Personnel Management that affected 22.1 million American citizens. In 2015 alone, multiple major cyberattacks leaked the information of 300 million people and led to $1 billion in damages. Recognizing the need for increased cybersecurity protections, CISA was passed with bipartisan support, although controversy over the bill still remains. Broadly, the act allows for cybersecurity information sharing between private and public entities in the interest of national security. A key provision of this act is that information sharing with the government is completely voluntary.
Advocates of CISA support two main arguments:
- It is critical to protect private data. Given the cyber environment leading up to the passage of CISA, it was clear that cyber criminals had begun using increasingly complex tactics. In the early months of 2015, the Department of Defense had begun advancing and streamlining its cyber capabilities and some cybersecurity proponents argued that the private sector should follow its lead. Thus, CISA represents an attempt to develop more capable defense and responses to cyber incidents in order to protect private information in the United States.
- It is important to develop public-private cooperation in cybersecurity. Neither private companies nor the federal government alone possess the requisite capabilities to protect critical infrastructure and data from cyberattacks. Public-private cooperation provides a cost-effective and dynamic approach to cybersecurity protection and advocates have argued that the US should take advantage of such a model. CISA allows for the Department of Homeland Security (DHS) to receive cyber information (cyberattack indicators, malicious code, etc) from private organizations, integrate that data, and provide comprehensive defense strategies for all to use. In addition, if one company were to discover signs of an attack, this information could be sent to DHS and a warning could be distributed to other companies within minutes.
Critics of CISA argue the following:
- CISA does not properly control how shared information can be used. Those against CISA argue that once data is shared with the federal government, there are no provisions in place to ensure that the data is only being used for cybersecurity related purposes. Privacy advocates like the Electronic Frontier Foundation say that CISA takes cyber control away from DHS and allows other government entities to access shared information. They argue that CISA creates an environment conducive to excess sharing and loss of oversight on the regulation of sensitive shared data. Other critics say that such practices would lead to a surveillance state where the government could conduct unauthorized searches using the data collected via CISA.
- The government is not capable of rapidly processing cyber information. Some against CISA argue that the government is not equipped to deal with the fast-paced nature of cyberattacks. They say that cyber criminals do not require consensus decisions to organize their attacks, while the government cannot move at such speed. Additionally, CISA critics argue that private companies are already engaging in extensive information sharing practices, and adding the government into such frameworks only slows these processes down. Additionally, they say that the government already has more data than it can process, so the input of additional information is useless.
In the years following the passage of the Cybersecurity Information Sharing Act, cyberattacks are still an ever-present threat as exemplified by the attack on Colonial Pipeline in 2021 and Uber in 2022. Accordingly, CISA has undergone multiple revisions since its passage in 2015 in attempts to improve its efficacy and address privacy concerns. CISA has been effective in incentivizing public-private information sharing, yet adjustments are still needed to improve the quality of data being shared.