Just before it went on holiday recess, Congress passed the Cybersecurity Information Sharing Act (CISA) of 2015, which provides legal protection to companies voluntarily sharing information about cyber threats with the government. The bill was attached as a rider to the omnibus budget bill and signed into law by President Obama on Dec. 18. But CISA has been controversial since its inception, drawing support and opposition from both sides of the political aisle.
Financial industry trade groups, including the Securities Industry & Financial Markets Association, have supported versions of CISA since it was first introduced in 2014. After it was passed, SIFMA president and CEO Kenneth Bentsen issued a statement commending Congress for, “moving forward, after years of effort, a voluntary, workable cyber threat information sharing bill.”
“Cyber threats posed by criminals, hacktavists, nation states and terrorists are among the most serious threats facing the financial services industry and our nation’s economic prosperity,” Bentsen said in the statement, adding that SIFMA’s “Quantum Dawn” series of cybersecurity exercises validates the importance of sharing information about cyber attacks.
But the bill has been widely denounced by the media, civil liberties groups, the cybersecurity community and trade groups like Computer & Communications Industry Association and The Software Alliance, which represent major tech and Internet companies.
Mark Jaycox, a legislative analyst for the Electronic Frontier Foundation, a digital civil liberties organization, argues that the legislation encourages companies to collect more customer data while simultaneously lowering the existing standards regarding privacy.
“Everyone agrees that you should be sharing computer security information to stop threats,” Jaycox said. “You had core privacy laws on the books that were an adamant check on making sure private information was not sent to the government or other companies. CISA relaxed the standards and allows companies to ignore those privacy laws. There’s less incentive to actually make sure that [private information is] not being sent.”
In fact, financial services firms are already sharing threat information, through both the Financial Services Information Sharing and Analysis Center (FS-ISAC) and through company-run exchanges.
When asked why SIFMA supported CISA, the group deferred to Bentsen’s statement above. Representatives from Morgan Stanley also deferred to SIFMA, while Edward Jones, UBS and Wells Fargo Advisors all declined to comment.
Andy Zolper, the chief information technology security officer at Raymond James, said the firm doesn’t have an official position yet, but is generally supportive of improved information sharing about cyber threats. Zolper said Raymond James actively participates with FS-ISAC and that it has “absolutely improved the ability of financial institutions to manage cyber threats.”
Zolper added that the industry is waiting to see how CISA actually gets implemented, and that it’s difficult for financial institutions to comment until they know more of the detail.
“We can share information about the bad guys, how the bad guys make attacks and what technical measures improve safety and security,” Zolper said. “I think both concerns can be accommodated. We need to have transparency about how this bill will work.”
But Jaycox said this rationale collapses because modern computer systems simply aren’t capable of completely scrubbing personal data from the kinds of data collection that CISA asks for. He added that information isn’t the silver bullet that the financial industry paints it as.
Jaycox said the attitudes toward CISA show a huge gap developing between Silicon Valley and Wall Street. While tech companies often try to fight the government over user information, financial institutions are more interested in legal immunity.