GWEN IFILL: Before the president and Congress left town for the holidays, they managed to enact a massive 2,000-page package of spending and tax cuts. Typically, these laws draw attention only for the chaos they create, like shutting down the government.
But there's a lot more deep inside, in this case, a significant and controversial new law governing cyber-security and Internet data. The new law encourages private companies to share data about cyber-hacks with the government. It protects companies from liability, and it also allows data to shared with other companies and with the Department of Homeland Security.
Lawmakers from both parties said it was a good deal.
SEN. DIANNE FEINSTEIN, D-Calif.: If someone sees a particular virus or harmful cyber-signature, they should tell others, so they can protect themselves. That's what this bill does.
REP. DEVIN NUNES, R-Calif.: We believe that sharing is an area where you really can't do any harm. It doesn't hurt anybody to have a way to talk. But, right now, they can't even talk.
SEN. SUSAN COLLINS, R-Maine: Does it make sense that we require one case of measles to be reported to a federal government agency, but not a cyber-attack?
GWEN IFILL: But there are some security advocates and privacy groups who say the law manages to go too far and not quite far enough.
Jeffrey Brown has that debate.
JEFFREY BROWN: To understand more, we're joined by James Lewis, senior fellow for the Center for Strategic and International Studies, and Elissa Shevinsky, founder of JeKuDo, a tech start-up designed to provide private communications to customers.
And welcome to both of you.
James Lewis, let me start with you.
The proponents of this in Congress say that this will allow the government to coordinate information, and they think this is the best way to do it, and then push back to other companies, push out information about how to prevent it in the future.
JAMES LEWIS, Center for Strategic and International Studies: You know, it's a really good first step, and it's great that Congress managed to pass a law, almost amazing.
But we have a lot of work to do. And in cyber-security in general, this is a little step. In information-sharing, a lot of things have to come together for it to work. We have tried this for a long time. It's hard to share information, classified information, private information. We will see where we are a year from now, but a good first step, a long way to go.
JEFFREY BROWN: From a security perspective, what's the goal here, and how would the new law try to achieve it?
JAMES LEWIS: This is something the U.S. has been trying to do for almost 18 years now, and it's never worked.
The theory is that, if you remove some of the obstacles to sharing information, people will do more, will know what the threats are, and maybe they will take action. But that's where the bill falls apart.
JEFFREY BROWN: That's where you see a problem on it?
JAMES LEWIS: Yes.
There is no incentive for people to use information. This doesn't change — it's like me telling you, hey, the Chinese are trying to hack into your computer, be ready. It doesn't really affect what people are going to do to defend themselves. And it keeps us in a reactive posture.
JEFFREY BROWN: Elissa Shevinsky, a lot of people have raised privacy concerns in all this. You come at it from that angle. Explain the problems you see.
ELISSA SHEVINSKY, Founder, JeKuDo: There are numerous problems with this bill.
It doesn't actually help us with security. Rather, it's more information gathering for the government. And it makes it difficult for executives like myself to actually safeguard the privacy of our customers.
In the past, we have been able to rely on our privacy policies to create trust with our customers. We can say the privacy policy says that we can't share your data with third parties. With the CISA bill, that will no longer apply. Now companies will be coerced into sharing their customer data with the government.
JEFFREY BROWN: But you say coerced. Isn't this voluntary?
ELISSA SHEVINSKY: They say that it's voluntary, but if the government comes to you and says that they want information, it's tricky to stand up and say no.
JEFFREY BROWN: Well, Jim Lewis, what do you see about that?
JAMES LEWIS: This is DHS we're talking about. And it's very hard for them to coerce anyone. So, it's voluntary.
That's actually my concern, is, since it's voluntary, people are unlikely to do anything. This doesn't expand the information that companies are gathering. It's their decision whether or not they share it, and there's no authority in the bill for the government to coerce anyone. So, I hadn't even thought about coercion as a problem.
JEFFREY BROWN: What would you like to see happen?
JAMES LEWIS: We're going to have to tackle some hard issues.
We're going to have to tackle what is the role of the military, where do we need to regulate, and how do we work with other countries to come to some understanding on what we should or shouldn't do in cyberspace.
JEFFREY BROWN: What do you see the government saying to companies here?
JAMES LEWIS: What they're saying is, you either know than we do, which could be true. You certainly know different things than we do. And so if you can give us that threat information, and we can share back with you, it will help everyone.
It could work. I mean, it hasn't worked so far, but that's the theory.
JEFFREY BROWN: Well, Elissa Shevinsky, where do you see this line, from where you sit, this line of security and privacy?
ELISSA SHEVINSKY: We need to actually build and enforce real security. That requires encrypting our data.
It requires taking new measures in the government. So many government offices were hacked this last year. We need to review their security practices if they are going to be holding more citizen data.
JEFFREY BROWN: Well, that could be right. This is a very evolving threat, right, both to the private sector and government.
ELISSA SHEVINSKY: That's right. And this bill doesn't address that.
This bill is information gathering for DHS. And it doesn't actually support what we need to improve the security of our companies and to improve the security of our government agencies.
JEFFREY BROWN: What would you like to see? What kind of system would you like to see in place?
ELISSA SHEVINSKY: We need to actually improve the security of how we're storing and managing data, who has access to that data. More threat intelligence won't help us, because we already know what the threats look like.
JEFFREY BROWN: Jim Lewis, is it correct that there is still a lot to work out? There's still a lot we don't know about how this is going to be implemented.
JAMES LEWIS: Yes. The bill has a lot of reporting dates and actions for implementation.
I think that, you know, the debate over the — between the privacy community and the agencies was, where does the information go? They settled on DHS. And now DHS has to prepare itself. So, there is a lot of action here. Right now, this doesn't change anything. Maybe three months from now, we will see some improvement.
JEFFREY BROWN: How would you judge success in something like this? How do we know?
JAMES LEWIS: Unfortunately, the metrics are really simple, how many people are getting in, how much data is flowing out. And if the numbers aren't going down, it's not working.
JEFFREY BROWN: All right, James Lewis, Elissa Shevinsky, thank you both very much.
JAMES LEWIS: Thank you.