Following several high-profile data breaches — such as those at Sony and the U.S. Office of Personnel Management — Congress is once again feeling the pressure to push “cybersecurity” legislation.
The problem is, the bill they’re laser-focused on is misguided, wouldn’t protect us — and is a huge gift to companies wanting legal cover if and when they choose to violate Americans’ privacy rights.
In March, the Senate Intelligence Committee voted 14–1 in favor of the Cybersecurity Information Sharing Act of 2015 (CISA). The bill, like its infamous predecessor CISPA, would allow companies to share vast amounts of users’ private and personally identifiable data with the government. That information would go straight to the Department of Homeland Security and then on to the NSA.
If CISA passes, companies would be permitted to monitor and then report to the government on vaguely defined “cyber-threat indicators” — a term so broad that it covers actual threats hackers pose to computer systems but also sweeps in information on crimes like carjacking and burglaries. Those are serious offenses to be sure, but they have nothing to do with cybersecurity.
While current law allows companies to monitor their own systems for cyber threats, CISA would take this to the next level. The bill would allow companies that hold huge swaths of our personal data — like health insurers and credit-card companies — to monitor and report online activity “notwithstanding any other provision of law.”
This means that CISA would undermine the strong protections embedded in laws like the Electronic Communications Privacy Act of 1986 and the Privacy Act of 1964 — laws designed to keep the government from spying on our communications.
While posing a serious threat to our privacy online, CISA wouldn’t even guard well against cyber attacks. The bill offers a bad trade-off, to put it mildly.
In April, leading Internet-security technologists wrote to the Senate Intelligence Committee, arguing that Congress didn’t need to create new legal authority to let companies share information designed to help protect their systems from future attacks. As their letter explains:
Waiving privacy rights will not make security sharing better. The more narrowly security practitioners can define these IoCs [indicators of compromise] and the less personal information that is in them, the better… Any bill that allows for and results in significant sharing of personal information could decrease the signal to noise ratio and make IoCs less actionable.
In June 2015, further revelations from whistleblower Edward Snowden showed that much of the activity CISA would authorize has been going on for quite some time. Leaked government slides show that the NSA and the FBI secretly joined forces in 2012 to spy on Internet traffic in pursuit of cybersecurity suspects.
Despite these efforts, cyber attacks have continued to escalate. Yet this bill to immunize companies from liability for sharing our personal data sailed through the Senate Intelligence Committee.
The lone dissenter on that committee, Sen. Ron Wyden, noted that cyber attacks are a “serious problem.” However, Wyden said, “if information-sharing legislation does not include adequate privacy protections, then that’s not a cybersecurity bill — it’s a surveillance bill by another name.”
So who’s behind the massive push to pass CISA? Insurers, credit-card companies, banks, gas and oil giants, and telecom companies have all lined up behind the bill. Keepers of some of our most private and sensitive data — banks like JPMorgan Chase, and health insurers like Anthem and Blue Cross Blue Shield, to name just a few — are lobbying hard for CISA’s passage.
In fact, according to lobby-disclosure reports for the first quarter of 2015, the number of companies lobbying for CISA has just about tripled over the last year. Recent attacks have cost companies billions, not to mention embarrassment.
Stronger cyber “hygiene” would best protect these companies from intrusions and breaches, but that would be costly. Implementing invasive monitoring programs and handing the information off to the government is far preferable if that approach can be sold as a solution to the problem.
In short, these companies are eager to share more of our personal data with the government so long as they don’t have to worry about violating any privacy safeguards. CISA gives companies exactly what they want: ironclad liability protection to share information about any perceived cyber threats with federal agencies.
So while CISA would do little or nothing to improve cybersecurity, it would strengthen the surveillance regime and make our personal information even more vulnerable to government abuse.
Leaders in the Senate, who want to pass CISA before Congress breaks for its August recess, have announced that the bill will be up on their agenda as soon as this week. The Free Press Action Fund is working with our allies to fight back. Please click here to urge your senators to oppose this dangerous bill.
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.
Sandra Fulton is a Legislative Assistant at the ACLU’s Washington Legislative Office working on First Amendment and privacy issues.