10.20.15

Debunking Myths about Cybersecurity Information Sharing Act

WASHINGTON – Senate Select Committee on Intelligence (SSCI) Chairman Richard Burr (R-NC) and Vice Chairman Dianne Feinstein (D-Calif.) today released a fact sheet on the Cybersecurity Information Sharing Act of 2015 (CISA).  The Cybersecurity Information Sharing Act of 2015 helps protect personal privacy, by taking steps to stop future cyber-attacks before they happen, not after Americans personal, financial, and private information is stolen by foreign agents and criminal gangs.  This legislation creates a cybersecurity information sharing environment that allows participants to get a better understanding of the current cybersecurity threats that may be used against them. The bill was reported out of Committee on March 3rd, 2015, on a vote of 14-1.

“Week after week, we learn of more cyber-attacks on Americans,” said Chairman Burr. “Hackers have stolen detailed information about Americans’ families, their medical history and their financial data and exposed that information to criminals and foreign governments. It’s time to take action to keep Americans safe and to reinforce our defenses against adversaries that we cannot see before we fall further behind on this new battlefront.”

“Millions of personal records and hundreds of billions of dollars fall victim to cyber-attacks every year, and we’ve done little to stem the tide,” said Senator Feinstein. “This information sharing bill, while not a silver bullet, is an important step to shore up our cybersecurity. This bill is the product of years of work and includes input from all sides of this issue. It balances security, personal privacy and liability protection in a way that I believe can pass the Senate. I look forward to finally seeing this bill become law.”

MYTH VS. FACT

MYTH: CISA is a “surveillance” bill.

FACT: 100% false for the following reasons:

  1.  All sharing under the bill is completely voluntary. No company is compelled to provide information to the government or any other company.
  2. CISA does not provide any way for the government to monitor any personal records, including library and book records, gun sales, tax records, educational records or medical records.
  3. CISA requires private companies and the government to review all information prior to sharing in order to remove any irrelevant personally-identifiable information that may be contained in cyber threat indicators or defensive measures.
  4. CISA does not allow the government to monitor private networks or computers.
  5. CISA does not let the government shut down websites or require companies to turn over personal information.
  6. CISA does not permit the government to retain or use cyber threat information for anything other than cyber security purposes, identifying a cybersecurity threat, protecting individuals from death or serious harm, protecting minors or investigating limited cyber-crime offenses.
  7. CISA provides rigorous oversight and requires regular reports from heads of agencies, inspectors general and the Privacy and Civil Liberties Oversight Board to ensure that privacy is protected in any voluntary sharing that occurs.

MYTH: CISA requires companies to send your personal information to the government.

FACT: Completely untrue. CISA is 100% voluntary. CISA does not mandate or compel any private entity or individual to do anything other than take the privacy-related actions necessary if they do share information. The cyber threat information sharing is completely voluntary. Companies have the choice as to whether they want to participate in CISA’s cyber threat information sharing process, but all privacy protections are mandatory. 

MYTH: The status quo is good enough. No additional action is needed. It’s better to have no bill than to have CISA.

FACT: To the contrary, CISA will help protect your personal information from being hacked and stolen. In fact, it is more damaging for America to be at the status quo, unprotected and without a cyber information sharing bill signed into law.  Every day on the news, we hear about another cyberattack against your personal information—health records, credit cards, and other private records. The status quo leaves Americans at risk for ongoing cyberattacks and having their personal information stolen by hackers and foreign actors. Under the current law’s status quo, private and public sectors cannot fully share cyber threat information, making it easier for hackers to pillage data from individuals and business alike. CISA provides a framework for cooperation on cybersecurity in a way that protects privacy by authorizing public and private entities to take defined, limited cybersecurity actions that can better protect businesses and government entities.