The controversial Cyber Information Sharing Act (CISA) cleared a key hurdle in the Senate this week and is likely headed for a vote next week. This long-debated bill attempts to promote cyber information sharing by removing legal liabilities associated with sharing of cyber incident data. However, the majority of companies in the technology industry have recently come out strongly against CISA, because this bill does not do enough to protect user privacy.
Unfortunately, it appears that the debate around CISA has focused on the tradeoff between one risk — corporate legal liability — for another — individual user privacy.
While TruSTAR is supportive of all policy efforts that elevate the discussion around cyber information sharing, the current thrust of the political debate seems to miss the fact that information sharing can be done in a privacy-preserving way that does not increase the corporate risk profile.
The type of information that companies should share does not need to include any personally identifiable information (PII) from customers or users. The challenge has been in separating the data we need to share (attack indicators, tactics, and techniques) with the data we need to protect (PII) — and to do so quickly enough that the information shared is still relevant. TruSTAR is focused on using the latest advancements in extraction, authentication, and encryption to enable the rapid anonymous exchange of cyber incident information to manage corporate risk and preserve the privacy of customers.
While we applaud Congress for its efforts to support information sharing, we also acknowledge the issues raised by tech companies and privacy groups. Technology is rarely a panacea, but in this case, it can help address concerns on both sides and put the focus on the core issue we all agree on: enabling meaningful information sharing and collaboration around cyber incidents to help better protect our government, our companies, and all of our valuable personal data that they hold.