Defense cybersecurity gets huge boost
As part of the $1.1 trillion, over 2,000-page federal budget omnibus bill that was recently signed into law to fund the government, a version of the Cybersecurity Information Sharing Act was enacted, giving private companies liability protections to encourage them to share information related to cybersecurity with the government – namely agencies such as the Department of Homeland Security and the Department of Defense.
"Privacy and civil liberties advocates, who positioned the bill as an expansion or government surveillance."
The bill was first introduced in 2014, and multiple versions bounced between the House and the Senate since then. The bill had attracted some controversy from privacy and civil liberties advocates, who positioned it as an expansion of already-extensive foundation for government surveillance initiatives.
Additionally, the bill leaves out provisions that the original House version of the bill includes, such as specific requirements regarding the anonymization of private data, and a requirement that private companies disclose security issues, as well as limits on the way that the government can use that information, according to The Register.
But CISA is more about cybersecurity and allowing agencies as well as private organizations to share critical information related to potential security issues – "threat indicators" – with each other. It also ensures that corporations are protected from the liability of sharing that information – the cybersecurity equivalent of the information-sharing apparatus that necessitated the Department of Homeland Security.
Regarding corporate liability: According to the Lawfare Institute, CISA actually fixes certain provisions of digital communication law in the United States. The Electronic Communications Privacy Act and the Wiretap Act have particularly loosely-phrased clauses which put large burdens on communication providers regarding what information they're allowed to collect.
"The provisions of CISA promote information sharing as well as information protection."
The provisions of CISA promote information sharing and protection. Namely, all agencies are now required to analyze what sensitive data is being stored on their servers, and have to implement access controls on that information, as FedTech Magazine said. Also, it authorizes the General Services Administration to develop a single sign-on to unify identity authorization on agency websites.
As FedTech mentioned, in the months since the Office of Personnel Management breach in 2014, good access controls are being viewed as a boon for augmenting IT security infrastructure. Agencies need to have better data management for their sensitive information. Data loss and breaches are a huge problem for agencies of all sizes, and there's no silver bullet – it takes a great amount of time and strategy to lay down a strong cybersecurity policy.