CISA - what are the international implications?

The US congress just passed into law The Cyber-security Information Sharing Act, also known as CISA, in the last couple of days.

Cyber-security legislation in Obama's State of the Union address
Cyber-security legislation in Obama's State of the Union address

The US congress just passed into law The Cyber-security Information Sharing Act, also known as CISA, in the last couple of days. The passage of the act means that companies operating in the US can share their data with US government authorities like the Department of Homeland Security.

But cyber-security and data-sharing is so often a transnational phenomenon, many companies that operate in the US also operate in Europe and the UK, so how will this affect us in the Old World? SCmagazineUK.com asked a collection of leading industry figures about this momentous bill's effects.

Sharing information with the US government will only be voluntary, says Fred Kost, senior vice president at HyTrust, a cloud security and control company: “The bill allows but does not require that US companies share information with authorities; any companies outside the US such as in Europe or the UK, would use their discretion for whether or not to share information with US authorities, in ways similar to coordination of cyber-crime activities today. Still," says Kost, “The bill seems like an attempt to address the wave of major attacks seen in 2015, yet doesn't address core issues such as requiring encryption and data protection.”

Joseph Pizzo, a field engineer at Norse, a cyber-intelligence company, is not optimistic about the implications for European data privacy. He told SC that, “The opinions of the tech industry, academia and other various experts that the data shared could include personal information is a painful reality.” He says that this could happen if the personal data of Europeans was exfiltrated along with that of American customers after a large breach on an American company. “Without the necessary amendments to the bill to protect the privacy of an individual's data, this becomes a potential privacy nightmare." says Pizzo. But there may be some protection in this case for businesses due to the new European Safe Harbour Rule change: “This means that there must be a level of separation and European data stays in Europe. This is going to force American, UK and other European businesses that cross international borders to keep their data local.”

French Caldwell, a former fellow at cyber-security giant Gartner and the current 'chief evangelist' at GRC software company, MetricStream, reminded SC that, “the UK has had a similar initiative underway since 2013 (CISP)” Where these two schemes differ is the government centrality involved. While CISP is a government-industry consortium, CISA, managed by the department of Homeland Security, allows the government to share threat intelligence.

It will probably still warrant reviews by privacy advocates though: “In light of the recent ECJ ruling against the EU-US safe harbor agreement, I expect there will be scrutiny by EU privacy advocates of CISA.  Companies that do business in both the US and EU will be in a quandary as to what information they can share without violating European privacy law.”

But considering the international nature of data, a transnational information sharing is what we should be looking at next. says Caldwell: “Frankly, cyber-threats are not confined to geographical boundaries so sorting out a transatlantic information sharing regime should be the next priority.”

Christos Dimitriadis, international president of ISACA, has also said that this might be a moot point for Europe: “Information sharing in Europe is based on the same principle: the accurate and fast dissemination of intelligence around cyber-threats. The Governmental network for the collection of information consists of the National Competent Authorities of each state. While not voted yet, the Network and Information Security Directive, includes, on top of the above, provisions around the privacy and corporate intellectual property issues that arise.“