Cybersecurity bill approved, but what does it accomplish?

It may have been easy for Congress on Friday to approve the Cybersecurity Information Sharing Act (CISA), despite past controversy around it.

This bill does not hike federal spending or impose sweeping regulatory rules. Its main feature is something many firms will be happy to get: liability protection if they share information with the government about cyberthreats and attacks.

CISA was slipped into the keep-the-government running $1.1 trillion spending bill. It was approved just before lawmakers took their holiday recess. The cybersecurity provisions of the bill itself are expected to cost the government about $20 million over a four-year period.

The White House was expected to sign the bill, and possibly upset a long list of tech firms, including Apple, Google and Facebook, who are worried about private information getting into government hands.

Lawmakers are betting that the measure will improve security, but the legislation’s effectiveness will ultimately be settled by the attackers who breach corporate systems.

Alan Paller, director of research at SANS institute, said the bill won’t accomplish “a thing” in terms of improving information security, or reducing vulnerabilities.

But Avivah Litan, an analyst at Gartner, said the bill will matter. Because of legal issues, a malware attack discovered by one firm wasn’t necessarily shared, and this sharing of information is critical.

“Now you know exactly what the attack looks like” as result of information sharing, said Litan. “The bad guys use the same attack in multiple places.”

The government will be required to create a portal for information sharing. It limits the government use of threat information to cybersecurity purposes, which includes threats to minors and countering cyber-related crimes.

There have also been warnings by privacy advocates such as the Electronic Frontier Foundation that the bill is a swamp of “immunity clauses, vague definitions and aggressive spying powers” that have turned it into a surveillance bill. Those comments came in an earlier critique of the legislation.

 

[Source:- computerworld.in]

By Adam