The US Senate passed the so-called Cybersecurity Information Sharing Act – or CISA – Tuesday evening by a wide 74-21 margin.
The overwhelming Senate support for the bill gave little indication that concerns from tech companies, information security experts and civil liberties advocates were seriously considered. Shannon Young reports.
The landslide Senate vote in favor of the Cybersecurity Information Sharing Act, or CISA, came after multiple attempts spanning five years to pass similar legislation under different names. Called CISPA in a former incarnation, the bill also drew on the highly controversial “cyber” legislation before it: SOPA and PIPA.
Some of the tech companies that have raised concerns about CISA include Google, Apple, Microsoft and Oracle. CISA sponsor Senator Richard Burr addressed those companies specifically ahead of Tuesday’s vote, saying “Do not try to stop this legislation and put us in a situation in that we ignore the fact that cyber attacks are going to happen with greater frequency for more individuals, and that the sooner we learn how to defend our systems, the better off personal data is in the United States of America.”
The stated purpose of CISA is to allow companies to share information in real time about perceived hacking threats, but critics of the bill warn it’s a legal framework for mass surveillance in cybersecurity clothing.
“In particular, CISA seems like it offers the opportunity for companies to engage in PRISM-like practices without a risk of being called to task for the privacy invasions that are a result,” explains technologist Daniel Kahn Gillmor, a fellow at the American Civil Liberties Union’s Speech, Privacy and Technology Project. He says that information-sharing already occurs at a certain level to monitor and mitigate threats to networks, but the type of data sharing across networks with varying security protocols called for in CISA would actually make data more vulnerable.
“By encouraging a wide spread of potentially large amounts of information, it allows and encourages the establishment of not only the sort of spying apparatus that really has no business being in place in a democratic society, but it decreases cybersecurity by putting the data that is shared even more at risk that it was in the first place,” explains Gillmor.
Ahead of Tuesday’s vote, Senate supporters of the bill pushed the point that participation in the information-sharing program is voluntary. But companies that do choose to join can take advantage of an attractive incentive: liability protection.
CISA “provides that two competitors in a market can share information on cyber threats with each other without facing anti-trust suits,” says California Senator Dianne Feinstein. “It provides that companies sharing cyber threat information with the government for cybersecurity purposes will have liability protection.”
CISA critics say that liability protection could keep companies with already bad digital security practices from improving their protocols. Then there’s the issue of oversight.
“This has none of the oversight that the already pathetic, inadequate overseeing programs that the NSA and FBI currently do – none of the oversight, none of the ability for a defendant to ultimately challenge the collection of this data,” says independent journalist and researcher Marcy Wheeler. “And it’s going to get a lot more content from Americans, which is illegal, according to a Supreme Court ruling.”
Oversight would fall to inspectors general within the agencies, who – when they do find issue with a program – tend to act slowly, if ever.
Wheeler says companies can also use reports of perceived network intrusions or hacking as a sort of “get out of regulatory action free” card: “For example, Chrysler was exposed to have, you know, that their cars could be hacked remotely. If Chrysler had just gone to NHTSA, to the National Highway Traffic Safety Administration, and given them that data from the start, NHTSA would not have been able to force a recall, which is what NHTSA ended up doing. So this actually takes tools out of the government’s hands to force corporations to do what they need to do. And they’re doing it…Congress is doing it just to bribe corporations to spy on their customers for the government. That’s the arrangement that is happening here.”
But while the measure encourages information sharing in some sectors, it restricts it in others.
CISA significantly weakens the Freedom of Information Act and puts decision-making power on FOIA requests into the hands of the Senate Intelligence Committee, the same body where current CISA legislation originated.
Before it can go to the president’s desk and become law, CISA must now go back to the House of Representatives for conference, so legislators can consolidate the Senate bill with the House version passed earlier this year.