The Cybersecurity Information Sharing Act (CISA), which is designed to allow private companies to easily share threat intelligence with government agencies, is facing resistance from privacy advocates who fear that the provisions will only increase the indiscriminate monitoring of legal activity.
CISA is seen as the “cousin” of another controversial cybersecurity bill, the Cyber Intelligence Sharing and Protection Act (CISPA), which was defeated by mass opposition in 2012.
In early August the White House gave the CISA a boost through an official endorsement. The Hill reported:
“Cybersecurity is an important national security issue and the Senate should take up this bill as soon as possible and pass it,” said White House spokesman Eric Schultz in a statement.
“The endorsement will increase pressure on Senate leaders to reach an agreement to limit floor debate and come to a final vote on the bill — which would increase the data shared on hackers between companies and the government — before the month-long break”.
The National Journal also released new information related to CISA. On August 26, the Journal reported on 22 proposed amendments to CISA. When the bill is eventually debated the Senators will have to work their way through each amendment.
According to the Journal, the amendments deal with liability protections, more narrow definitions of cyber threats, qualifications for removing personal identity information, cyber crime penalties, and the voluntary nature of information sharing.
It is exactly this alleged “voluntary” information sharing that has come under fire. Recently Wired reported on the possibility that the programs are not exactly as voluntary as supporters of CISA would have you believe.
Wired mentions a previous “information sharing” program for defense contractors which was falsely advertised as “voluntary”. Wired wrote:
In order to receive information as part of the program, entities were required to sign contracts as program ‘participants.’ This would not have been so bad, except that a precondition for being a participant was the requirement that the entity file reports with the government on a regular basis. In fact, the Defense Industrial Base Pilot Cybersecurity Plan definitively showed that participants were required to agree to transfer information about their private network traffic to the government.”
Although at least one of the amendments to be debated deals with establishing narrower definitions of terms like “voluntary”, at this point there is nothing in the bill which would prevent Department of Homeland Security from taking a similar route while calling the program a voluntary interaction.
The DHS also has its own issues with CISA. In late July, the agency sent a letter to Sen. Al Franken, the ranking member of the Senate Subcommittee on Privacy, Technology, and Law, discussing a number of problems with the bill.
The DHS said that if the bill does not mandate the removal of personal information the agency will be forced to “contribute to the compromise of personally identifiable information by spreading it further.” The letter also stated that the bills vague language and broad definitions could lead to “receiv[ing] large amounts of information with dubious value.”
The bill has also been opposed by a number of leading security experts, and privacy organizations such as the Electronic Frontier Foundation. The EFF opposes CISA in its current form because it does not require companies to remove unrelated personal information prior to sharing it with the government.
For Americans who value privacy and liberty, CISA is a looming threat. As is the case with most legislation passed under the guise of protecting the people, it will, in fact, only further erode the peoples freedom and empower the State. We should also take a moment to recognize that this growing Surveillance State could not happen without a compliant partner, the corporations that provide our personal data to the government.
Keep an eye on the CISA saga throughout the coming months. An endorsement from the White House is a sure sign that President Obama wants the “cybersecurity” measure to be a part of his legacy before he leaves office.
What are your thoughts on CISA? Is it necessary to protect your data from hackers? Or is this another government ploy to spy on your activity?