CISA Isn’t Cybersecurity, It’s Cyber-Surveillance

2015.3.24.CISA.mainThe final CISA bill, which includes about a dozen amendments, has not been made public yet. (Image: via Shutterstock)

Earlier this month, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act of 2014 (CISA) by a 14–1 vote. Senator Ron Wyden (D-Ore.) stood alone against the bill, saying in a statement March 13 that it “does not include adequate privacy protections” and is simply another “surveillance bill by another name.”

The bill is supposed to encourage data collecting and sharing between private companies and government agencies in an effort to prevent cyberattacks on American IT infrastructures. Opponents, however, are arguing that the legislation’s true mission is to forge a legal framework that makes it easier for the state, along with corporate entities, to surveil internet users and record their communications.

Critics have called CISA the ‘zombie bill’ because Congress has for years regularly proposed legislation that would enable the government to skirt private computer users’ encryption codes that make it more difficult for it to collect information, most notably the Cyber Intelligence Sharing and Protection Act of 2013 (CISPA). That bill passed the House but failed in the Senate.

Politicians on both sides of the aisle are trying again. They’re using the hacking of Sony Pictures in late 2014 as well as the larger threat of terrorism to justify reviving the old legislation. President Obama joined the effort last month, when he signed CISA’s counterpart as an executive order that would also create information-sharing hubs that bring the private and public sectors together. (The differences lie in the dozen or so amendments within CISA that were approved last week but haven’t yet been made public.)

“I see CISA as another attempt at expanding all the powers that the government already has,” former National Security Agency agent and whistleblower J. Kirk Wiebe told Dissent NewsWire. In his 30 years of experience at the NSA, Wiebe says, the one tactic the secretive agency has used most persistently has been fighting encryption keys. He says that the threats the state constantly cites are nothing but a “ploy by the government to put out plausible rationale why people’s data should not be encrypted.”

The battle over encryption, Wiebe insists, stands at the heart of the larger debate over privacy and surveillance. It began after the 9/11, attacks when he along with a handful of other colleagues—among them Thomas Drake, Ed Loomis, and William Binney — filed a formal complaint over waste within the agency. As a senior analyst, Wiebe had worked on an in-house ‘connect the dots’ surveillance program that protected users’ identities.

“Human beings didn’t have to see the underlying identifying data,” he says about the program he worked on. “All they would see is a dot and line connecting the two points.” The IT system, he says, worked with the identities of those people whose information was being collected. But the system would automatically encrypt the data — one of the main architects of the program, William Binney, was able to do this by writing an algorithm that used identifiers within the equation to connect one piece of communication with another, but then kept the identity anonymous through encryption in the final outcome. Human intelligence was separate from the process.

“Encryption does not prevent you from doing intelligence,” Wiebe says. If a threat is detected and an identity must be attained, he argues, “then I’d bring in judicial courts. I’d bring in the Supreme Court too.”

The lack of any system of checks and balances has allowed the government to illegally tap into private phone records, steal encryption keys, and intercept and bug computer hardware devices that had been shipped to companies. In fact, unlawful activity at the NSA became so commonplace that employees started to spy on their partners, one of the only violations the agency openly acknowledged and condemned.

The new CISA bill, like Obama’s parallel proposal, would do nothing to address these underlying problems. It would change the structure of information-collecting slightly: Much of it would go through the Department of Homeland Security (DHS), instead of intelligence agencies like the NSA.

But one element that has been missing from each cybersecurity bill is encryption regulations, which Wiebe says are “the single most important step to protecting us from surveillance.”

The lack of concern for privacy and encryption is reinforced by fresh provisions within CISA that seek to expand government surveillance in areas that have nothing to do with cybersecurity. One provision, for example, says that shared information can be used for “a wide range of crimes involving any level of physical force, including those that involve no threat of death or significant bodily harm.”

The New America Foundation’s Robyn Greene outlined the elements within CISA that she says make it look more like a “cyber-surveillance” bill more than anything else: companies being able to monitor their users’ activities; requiring DHS to automatically disseminate all the data it collects to the NSA; and permitting companies to retaliate against any users it deems responsible for a cyberattack.

A coalition of open government groups (including the Defending Dissent Foundation) had asked the committee to reject the bill because it creates an unnecessary exemption to the Freedom of Information Act (FOIA) and “would increase the intelligence community’s access to Americans’ personal information without adequate legal protections against the use of “cyber-threat” information to investigate whistleblowers or conduct broad surveillance unrelated to specific cybersecurity threats.”

The final CISA bill, which includes about a dozen amendments, has not been made public yet. It’s unclear whether it’ll pass the Senate. That vote will most likely take place mid-April. In the meantime, Wiebe says, he worries that possible political developments—the Iran negotiations, the rise of ISIS, or continued cyberattacks on the United States—could be manipulated by politicians to ram the legislation through Congress.

“I could even see a scenario where the government knowingly lets a situation like this happen as an excuse to expand control,” he says. “I’m not gonna tell you that the people running these agencies are out to control the American people. It’s that there’s nothing to prevent that from happening… .That sends chills down my back.”