Remember when everyone freaked about CISPA, the US cybersecurity bill with scary privacy implications? CISA, a similarly-named cybersecurity bill, is here to take its place. Even after adding fifteen amendments, the Cybersecurity Information Sharing Act is a dangerous piece of US legislation.
Sen. Ron Wyden (D-Ore.) was the only Senate Intelligence Committee member to vote against CISA, but he was unsparing with his criticism, calling it “a surveillance bill by another name”. He’s right.
Kicking the backdoor for spying open wider
Supporters say CISA will help companies share information about cyber threats with the US government, and that the bill has been carefully worded to protect personal information. But critics say CISA will be far less effective at boosting cybersecurity than it will as a piece of loophole-happy legislation that allows for increased government surveillance.
CISA, even gussied up with its amendments, kicks open a government-snooping backdoor that would allow private companies to give the Department of Homeland Security pretty much whatever they wanted as long as it vaguely related to a cyber-threat. It also allows for “defensive measures” against these threats, but offers scant elaboration about what those measures can be beyond noting that they shouldn’t cause “substantial” harm. Uh, thanks?
The terms used are so vague that they’re essentially meaningless. As long as a company could engage in rhetorical gymnastics that related its data to a “cybersecurity purpose”, it’d be fair game to share.
“Given what we know of intelligence agencies willingness to stretch every privacy law to its limits, CISA could potentially authorise a staggering amount of new surveillance,” Evan Greer, the campaign director for privacy advocacy group Fight for the Future, told me.
Wired’s Andy Greenberg pointed out that CISA will usurp older privacy laws like the Privacy Act of 1974, making it hard to counter.
Oh, and the DHS would automatically share the information with the NSA, the Department of Defence and the Office of the Director of National Intelligence, so private information could potentially get pored over by a wide variety of US government agencies, not just one.
The NSA has whatever the opposite of a good track record is when it comes to abiding by privacy guidelines, so of course there’s concern that automatic sharing with the NSA will result in the broadest possible interpretation of the already-menacingly-vague rules laid out here.
CISA protects companies that spill your secrets and attack your files
The bill doesn’t require companies to strip personal information before handing it over to the US government, as long as the information hasn’t been proven to be disconnected from the matter at hand. And while it does encourage companies to weed out irrelevant personal data, it’s much easier for the companies to err on the side of not redacting personal data or bothering to find out if shared information is related to the threat or not.
That’s a problem: CISA gives a wide berth of immunity to private companies in the bill, which means they will have zero incentive not to overshare personal information. CISA would help companies get out of violations of the Wiretap Act, for example.
They will also have zero incentive to be conservative when launching their “defensive attacks”. Companies can launch computer network attacks as a “defensive” measure as long as they don’t totally destroy a suspected thief’s computer, for example. That would be cool if we knew companies could be sure that they were attacking the right computers. But with so many ways for cybercriminals to hide their locations and push their dirty work onto zombified computers, this means there’s a lot of room for damaging the computers of innocent people.
Let’s keep complaining
Public outcry helped kill CISPA (twice) and even though senators keep trying to revive its zombified corpse, there’s pushback to block the bill again, including a veto promise from US President Obama. CISA, meanwhile, is enjoying much less blowback even though it’s just as privacy-corroding as CISPA.
There are plenty of reasons for people who care about privacy to be anti-CISA. But even if you’re like “hell yeah bring on the NSA snooping please” this bill is trash. Most major tech companies already share information with each other and it hasn’t exactly staunched the steady increase in cyber-attacks.
It’s tempting to succumb to outrage fatigue here. We’ve already dealt with so many crappy, privacy-trampling cybersecurity bills. And there are sure to be more and more to come. But these bills keep cropping up because our government cares more about information control than it does about the privacy of its citizens. The only way to prevent one from eventually passing is to keep caring and letting Congress know these bills are unacceptable each time one is introduced.