A new cybersecurity bill proposed in the U.S. Senate could dramatically impact how the U.S. government and corporations exchange Internet users’ confidential information. But thanks to vague language and a range of privacy and Internet freedom issues, the legislation is already shaping up to be one of the most hotly contested bills the Internet—and Washington—has ever seen.
The Cybersecurity Information Sharing Act (CISA) was written to facilitate the flow of “cyber threat” information between private companies, such as Verizon or Google, and government agencies, such as the Federal Bureau of Investigation (FBI). The bill is currently being considered by members of the U.S. Senate Select Committee on Intelligence, including those who introduced it, Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.).
If enacted, CISA would have a major impact on a variety of Internet related issues, including privacy, corporate liability, freedom of information, law enforcement and national security.
The proposed legislation would, essentially, reconstitute the U.S. government’s policies towards the Internet with regards to Fourth Amendment rights and greatly reduce limitations on corporate and government collaboration.
Remarkably similar to the Cyber Intelligence Sharing and Protection Act (CISPA)—a highly unpopular Internet bill that died in the Senate and was later stalled there after reincarnation—CISA vastly enhances the ability of the federal government and private companies to monitor the online activities of U.S. citizens. As such, prominent civil liberties organizations and digital activists have a laundry list of reasons for not supporting Sen. Feinstein’s new bill.
First, the law would provide broad liability protections for companies that disclose their customers’ information, or employ “countermeasures” against perceived security threats, without just cause. In other words, the proposed law grants corporations a shield when they disregard users' privacy rights.
“The high bar immunizes an incredible amount of activity,” wrote Mark Jaycox of the Electronic Frontier Foundation, “including negligent damage to property and may deprive private entities of legal recourse if a computer security contractor is at fault for destruction of property.”
Of particular worry is the vagueness with which Sen. Feinstein and Sen. Chambliss defined some of the principal elements of the bill. A “cybersecurity threat,” for instance, is defined as an action that’s not protected by the First Amendment, which “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system…”
As noted by Motherboard journalist Jason Koebler, if CISA were law, it could allow ISPs to deploy so-called “countermeasures,” defined by equally ambiguous terms, against companies such as Netflix to throttle the service’s traffic—a loophole that, if operable, could render future Federal Communications Comission “net neutrality” regulations effectively moot.
Another chief concern is that CISA permits state and local law enforcement agencies to act summarily on information they receive from companies to prevent and prosecute alleged criminal activity.
Furthermore, the limits to what information can be shared with law enforcement, described as “cyber threat indicators,” are apparently open to interpretation. For instance, an acceptable indicator may be “anomalous patterns of communication that appears to be transmitted for the purpose of gathering technical information related to a cybersecurity threat"—whatever that means.
In late June, a letter opposing CISA’s current language was delivered to the Senate Intelligence Committee, undersigned by 22 groups committed to defending online rights, including Demand Progress, PEN American Center, and the Center for Democracy and Technology (CDT). It opens by citing concerns over the 2013 National Security Agency revelations brought forward by Edward Snowden.
“CISA ignores these revelations,” the letter reads. “Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA.”
Among other issues highlighted by the civil liberties groups are broad liability protections, arbitrary harm inflicted on average Internet users, inadequate controls over the warrantless use of information, and the militarization of the civilian cybersecurity program—i.e., the requirement that information be disseminated directly to the U.S. Department of Defense.
“Cybersecurity legislation intended to protect national security, financial systems, computer users, and the Internet must not undercut essential privacy rights,” the letter concludes.
Naturally, there are two sides in the debate over CISA. Responding to critics, Sen. Feinstein’s office said in a statement:
"The bill incentivizes the sharing of cybersecurity threat information between the private sector and the government and among private sector entities. It responds to the massive and growing threat to national and economic security from cyber intrusion and attack, and seeks to improve the security of public and private computer networks by increasing awareness of threats and defenses.”
Regardless, if CISA does find its way onto the Senate floor, its progress will likely be tracked and opposed by a dozens of well-known organizations with an interest in curtailing the U.S. government’s domestic intelligence agenda—groups who, according to recent polls, represent the majority of Americans citizens and won’t be easily divided along party lines.
“Privacy groups, which fought hard two years ago to ensure that cybersecurity information sharing does not become a backdoor wiretap, are mobilizing on this legislation,” CDT Senior Counsel Greg Nojeim said in a statement. “The recent revelations about NSA surveillance show how important it is for Congress to legislate with care when communications privacy is at stake, as it is in this legislation.”
The Obama administration hasn’t publicly chosen a side on CISA, but it’s worth remembering that, in April 2013, CISPA was effectively stalled in the Senate after the White House threatened to veto. Among the concerns, the administration was adamant that sharing for cybersecurity purposes from the private sector should enter the government through a civilian agency and not, for instance, through the Pentagon.
CISPA, the White House said, didn’t adequately address the “need for transparency to protect privacy and civil liberties.” According to a host of organizations whose purpose is to uphold the Bill of Rights, neither does CISA.
Photo via Senate Democrats/Flickr (CC BY 2.0) | Remix by Jason Reed