Skip to content Skip to footer

A Surveillance Bill in Cybersecurity Clothing

The Senate is proposing a new bill to protect privacy, but the bill is actually surveillance masquerading as cybersecurity.

Almost every day, Americans learn about how some major institution has been hacked. The privacy of millions has been compromised. Now the Senate is poised to consider a bill that purportedly will enhance protection, the Cybersecurity Information Sharing Act (“CISA”). Don’t let the name fool you. CISA is a surveillance bill masquerading as cybersecurity reform.

First, CISA sets vague criteria for private companies to determine when a “cyber threat” exists. Companies can share user information with any federal agency when they believe there is a threat. Federal agencies, in turn, must immediately share all cyber threat information with the National Security Agency (“NSA”). Because this sharing occurs instantaneously, there is no attempt even to remove consumers’ sensitive, personally identifiable information. The law also explicitly supersedes existing privacy laws that limit the government’s collection of citizens’ data, some of which were past responses to earlier governmental abuses.

In addition, when companies share information with the Department of Homeland Security (DHS), they receive protection from legal liability. This means that individuals whose information is revealed have no ability to challenge the data collection and distribution. Moreover, federal agencies and law enforcement are not limited to using the information for cybersecurity and national security purposes. Instead, they may use the data for any purpose, including ordinary criminal prosecutions, thereby bypassing both legal and constitutional protections.

Finally, CISA gives private companies the ability to engage in defensive tactics called “countermeasures” to combat cybersecurity threats. Under the proposal, companies have essentially free rein to undertake these aggressive maneuvers as long as they are technically confined to their own systems and do not “intentionally” destroy other entities’ systems. They may, however, still have significant effects on other networks, further undermining cybersecurity.

For instance, cyber attackers often hide behind innocent bystanders, masking their true identity. CISA would allow a company that has been hacked to hack the attacker back. If the hacker is posing as an entity on a different network – for instance, a hospital or an emergency responder – the private company could damage the innocent network. Normally, this behavior would be against the law, but CISA amends current law to allow for these defensive operations. Because the defensive attacks would exploit system vulnerabilities and create new ones, CISA makes the Internet infrastructure less secure, not more.

If the government truly wanted to increase cybersecurity, it could start by mandating that federal agencies practice expert-recommended cyber hygiene. Even basic measures that cybersecurity experts consider necessary are not discussed in CISA. For example, most experts recommend Internet users update software regularly, a piece of advice that is usually disregarded. Users can encrypt data, which makes it less valuable to hackers. They can also set strong passwords and use multi-factor authentication systems for sensitive data, which requires additional steps to access the data. These strategies, which slow hackers down and make hacking targets less attractive, could prevent 80 to 90 percent of cyber attacks. In fact, such measures could have prevented the breach at the Office of Personnel Management (OPM) and several other attacks.

CISA threatens personal liberty and makes the Internet less secure. The law encourages private entities to share vast troves of consumer data with federal agencies with no net gain for cybersecurity. Instead, consumer data will be more vulnerable to attack, particularly since there is no guarantee that the federal government will be a better custodian of consumer data than OPM was with employee data. The Senate should recognize CISA for what it is: a surveillance and privacy-killing bill in cybersecurity clothing.

Unlike mainstream media, we’re not capitulating to Trump.

As a dizzying number of corporate news organizations – either through need or greed – rush to implement new ways to further monetize their content, and others acquiesce to Trump’s wishes, now is a time for movement media-makers to double down on community-first models.

At Truthout, we are reaffirming our commitments on this front: We won’t run ads or have a paywall because we believe that everyone should have access to information, and that access should exist without barriers and free of distractions from craven corporate interests. We recognize the implications for democracy when information-seekers click a link only to find the article trapped behind a paywall or buried on a page with dozens of invasive ads. The laws of capitalism dictate an unending increase in monetization, and much of the media simply follows those laws. Truthout and many of our peers are dedicating ourselves to following other paths – a commitment which feels vital in a moment when corporations are evermore overtly embedded in government.

Over 80 percent of Truthout‘s funding comes from small individual donations from our community of readers, and the remaining 20 percent comes from a handful of social justice-oriented foundations. Over a third of our total budget is supported by recurring monthly donors, many of whom give because they want to help us keep Truthout barrier-free for everyone.

You can help by giving today. Whether you can make a small monthly donation or a larger gift, Truthout only works with your support.