Recent cyber incidents underscore the need for legislation to help businesses improve their awareness of cyber threats and to enhance their protection and response capabilities in collaboration with government entities. Cyberattacks aimed at U.S. businesses and government bodies are increasingly being launched from sophisticated hackers, organized crime, and state sponsored groups. These attacks are advancing in scope and complexity. The need to address threats against American and global businesses has gone from an IT issue to a top priority for the C-suite and the boardroom.
The Chamber works to influence policies, legislation, and regulations that promote private sector solutions to cybersecurity. Here we help to demystify the CISA legislation, currently being debated in the U.S. Senate under S.754, the “Cybersecurity Information Sharing Act of 2015” (CISA).
What is CISA?
CISA stands for the Cybersecurity Information Sharing Act of 2015. The bipartisan bill would create a voluntary cyber threat information sharing program, strengthening businesses’ protection and resilience against cyberattacks.
Why do we need CISA?
Legislation is necessary to fundamentally improve information-sharing practices between the U.S. government and the business community that reflect the conditions of an increasingly digital world. CISA would create a voluntary program to help strengthen the protection and resilience of businesses’ information networks and systems against increasingly sophisticated and malicious actors.
Businesses need legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyberattacks. Legislation needs to safeguard privacy and civil liberties and establish appropriate roles for civilian agencies.
How does CISA improve cybersecurity?
Cyberattacks aimed at U.S. businesses and government entities are being launched by sophisticated hackers, organized crime, and state-sponsored groups with impunity—and that has got to stop. Even more frightening, these attacks are advancing in scope and complexity.
While there is considerable debate with regard to the best strategies and tactics to for protecting America’s cyber networks, one general agreement among cyber experts is the need for the enhanced sharing of timely and actionable cyber threat intelligence between the private and public sectors. 85% of America’s critical cyber infrastructure is owned and operated by industry. It is critical for industry to have real time situational awareness about potential threat and access to the best practices and strategies to combat such threats.
Passing CISA won't prevent all cyberattacks; no legislation can prevent advanced and persistent threats from breaching an organization’s cyber defenses. However, CISA will give both government and industry the tools to better protect and prepare against future attacks.
Isn’t CISA just a surveillance bill?
CISA would spur information sharing in smart ways that protect and respect privacy. The bill represents a workable compromise among multiple stakeholders. It is simply inaccurate to call CISA a surveillance bill. CISA limits the information that can be shared by businesses and government entities to essentially the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims—not sensitive personal information contained in such networks. In those rare instances where an individual’s personal information is embedded within the cyber threat information or defensive measures, CISA calls for public and private entities to remove such personal information unrelated to a cyber threat when sharing (p. 16 of the bill).
Does the Chamber support CISA?
The Chamber strongly supports CISA and urges the Senate to expeditiously pass it. The Chamber urges Congress to send a bill to the president that gives businesses legal certainty that they have narrow liability protections when voluntarily sharing and receiving threat data indicators and defensive measures in real time and monitoring their networks to mitigate cyberattacks.