Print Blog Article

CISA: New “Cybersecurity” Bill Is About Surveillance, Not Security

Wed, Apr. 08, 2015 Posted: 10:46 PM


Sen. Richard Burr (R-NC) is trumpeting a major Senate cyber bill that he claims is better at protecting privacy. Burr, who is chairman the Senate Select Committee on Intelligence, hails this bipartisan measure which was recently approved by his panel, as taking the first step in cracking down on the theft of personal data and intellectual property. Elaborating, he goes on to insist that the bill would create “a cybersecurity information-sharing environment that works much like a neighborhood watch program--allowing all participants to get a better understanding of the current cybersecurity threats that may be used against them.”

The bill was spearheaded by Sens. Dianne Feinstein (D-CA) and John McCain (R-AZ) and was approved 14-1 by the panel on March 18. The legislation being advanced, the Cybersecurity Information Sharing Act of 2015 is known as CISA and is similar to the unpopular CISPA.

The Electronic Frontier Foundation (EFF) details, in brief, what makes the bill so problematic:

Cybersecurity bills aim to facilitate information sharing between companies and the government, but their broad immunity clauses for companies, vague definitions, and aggressive spying powers make them secret surveillance bills. CISA marks the fifth time in as many years that Congress has tried to pass "cybersecurity" legislation. Join us now in killing this bill.

The newest Senate Intelligence bill joins other cybersecurity information sharing legislation like Senator Carper's Cyber Threat Sharing Act of 2015. All of them are largely redundant. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs. In February, he signed another Executive Order encouraging regional cybersecurity information sharing and creating yet another Cyber Threat Center. Despite this, members of Congress like Senators Dianne Feinstein and Richard Burr continue to introduce bills that would destroy privacy protections and grant new spying powers to companies.”

This Senate Intelligence bill grants two new authorities to companies:

1) It authorizes companies to implement countermeasures (referred to as "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." But, "Cybersecurity purpose" is so broadly defined that there’s almost no limit to what it could mean as long as it’s related to protecting an information system (which can be a computer or software). Similarly, a "cybersecurity threat," may includes anything that "may result" in an unauthorized attempt to impact the availability of the information system.

2) The measure adds new authority for companies to monitor information systems for the purpose of protecting an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.”

Some disturbing aspects of the bill:

  • “Sharing Information with NSA - Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies—like the NSA—’in real-time.’”
  • “Overbroad Use of Information - Once the information is sent to any government agency (including local law enforcement), it can use the information for reasons other than for cybersecurity purposes. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes.”
  • “Near-Blanket Immunity - The bill also retains near-blanket immunity for companies to monitor information systems and to share the information as long as it's conducted according to the act. Again, "cybersecurity purpose" rears its overly broad head since a wide range of actions conducted for a cybersecurity purpose are allowed by the bill. The high bar immunizes an incredible amount of activity. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It's also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports, information sharing and analysis centers, and private communications."

To fully drive the point home, an article in TechDirt asks the crucial question: “What cyberattack would the new cybersecurity bill have stopped?” The article goes on to echo what many others have said--that it is not a cybersecurity bill at all; it's just yet another way for the government to gain access to your user info. You can take a look at the bill here.

This flawed, intrusive piece of legislation could be voted on at any time. You can contact your senator to tell them to vote no against the bill, if you are so inclined. EFF has set up a page right here at which you can let your voice be heard.

Candice Lanier