Opinion divided on impact of CISA ruling on Safe Harbour

Open DataThe new US Cybersecurity Information Sharing Act (CISA), passed in the US Senate on Tuesday, has made it even harder for data sharing between the US and EU, according to critics.

However, attitudes to data sovereignty and the institution of a new Safe Harbour agreement seem to be polarising across both sides of the Atlantic.

Former White House cyber security advisor French Caldwell, chief evangelist at GRC software company MetricStream, said he recognised the ‘libertarian’ argument but that those at the front line in the IT industry have a more realistic grasp of the immediate issues. “Libertarians are strongly opposed and it’s easy to sympathise with that position. Once the door opens to information sharing, the arrangement might go from voluntary to mandatory over time,” said Caldwell.

However, security people on the ‘front lines’, at banks, electrical utilities, energy companies and hospitals, are fighting a war, he said. “Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are probing for weakness. These cyberattacks amount to cyberwar,” said Caldwell.

The significant privacy protections in the CISA legislation will provide protections from anti-trust rules. Better still, it would bring data holders into a protective information sharing culture with federal agencies, he argued.

However, a UK counterpart saw the CISA ruling differently. “This is bad news. Just as the EU makes it clear that it’s a serious problem if security agencies get easy access to personal data, the US Government makes it even easier for this snooping to happen,” said Mike Weston, CEO of data science consultancy Profusion.

The Cybersecurity Information Sharing Act will make it significantly harder for the US and Europe to agree a replacement for the collapsed Safe Harbour provisions, according to Weston. “Without assurances that European citizens’ personal data is protected, it’s hard to see how such an agreement might be reached. The biggest stumbling block is that while US citizens are afforded some protection by the USA Freedom Act, none applies to citizens of other nations.”

In a Microsoft blog posting its chief legal office Brad Smith called on the US government to respect European Union privacy laws for transatlantic personal data in the post-Safe Harbour era.

The note describes privacy as a ‘fundamental human right’ and urges the US government to commit to only accessing private information stored in the United States about EU citizens in a manner that ‘conforms with EU law, and vice versa’.