The Cybersecurity Information Sharing Act: A Bill Looking for a Problem to Solve

It was a brilliant political maneuver. In the spring of 2011, the Obama Administration put out an ambitious legislative proposal on cybersecurity. Among other initiatives, it called for granting the Department of Homeland Security the authority to regulate cybersecurity for critical infrastructure providers. The Chamber of Commerce made it its mission to kill the bill. They used a simple argument: government doesn’t need to regulate; it needs to make it possible for companies to share information with each other.

The argument worked. The idea of regulating our way out of cybersecurity died a slow and painful death. When the Obama Administration put out a second legislative proposal in the winter of 2015, there was nary a mention of regulation. Yet the “information sharing problem” was never anything more than a digital age red-herring.

The reality is that companies share cybersecurity information all the time. Literally, millions of indicators everyday. Fears that the Justice Department will bring up charges of antitrust violation have proven unfounded for over a decade. ISACs have been sharing information among their members since 1998. More recently, Symantec and Intel Security (formerly McAfee) are two of four founding members to the Cyber Threat Alliance. The core requirement to join is to share 1,000 unique malware samples a day. If these two rivals in the same industry can share cybersecurity information with each other legally and in full view of the public, who can’t?

If the long precedent of cyber information sharing was not enough to convince wary general counsels that antitrust was not a concern, the Department of Justice and the Federal Trade Commission have gone out of there way to make that point clear. In a statement of policy issued in 2014, the chief enforcers of antitrust law made clear that not only was sharing cybersecurity information not a concern, “information exchanges could be procompetitive in effect.” Any general counsels that still have concerns can ask the Department of Justice for a business review letter. Thus far, only one company, TruStar Security, has done that. You can read the letter here.

Want to share information with the federal government but worried it could be subject to the Freedom of Information Act (FOIA) or shared with regulators? You don’t need the Cybersecurity Information Sharing Act (CISA) to pass. The Department of Homeland Security already operates the Protected Critical Infrastructure Information sharing program—PCII for short. Information shared through it cannot be disclosed under FOIA, state and local sunshine laws, through civil litigation or to regulators. Cybersecurity information is categorically considered PCII. Many companies already share cybersecurity information with the federal government through this program.

So, what then, if anything would CISA do? For most companies, the answer is nothing. Information sharing will continue. If any companies thought monitoring their Internet traffic for security threats was a problem not solved by end user agreements and security banners, Congress has you covered (if this was actually a problem, we wouldn’t have companies like FireEye today).

The privacy and civil liberties communities believe the intention of the bill is not to allow the private sector to share more information but to be able to collect more information. As Senator Ron Wyden put it, “it’s a surveillance bill by another name.”

I used to agree with Senator Wyden. But that was before the Snowden revelations made cozy relationships with the U.S. government bad for business. Before Snowden, a system where private companies could voluntarily share information with, oh say the NSA, would have been a problem. Now, the U.S. government is lucky to get information out of companies with a court order. The list of companies that on a voluntary basis actually want to share information with the Federal government, let alone the intelligence community, is pretty short.

If CISA passes, it probably won’t do much harm. It also won’t do much to increase cybersecurity information sharing. But it will have one tremendously positive effect: finally, we will be able to shut up about information sharing and figure out what legislation might actually do something to improve cybersecurity in this country.