The Cybersecurity Information Sharing Act (CISA) would let businesses send the government data about the cyber threats they face. The bill creates a portal managed by the Department of Homeland Security for collecting the threat data and distributing it across the government.
Privacy groups, security experts, and a growing number of major tech companies oppose the bill, arguing that it does not sufficiently protect Americans’ private information from being swept up in the data that companies share.
Sen. Ron Wyden (D-Ore.), who has led the charge against CISA in the upper chamber, spoke to the Daily Dot on Thursday afternoon about the morning’s vote, the way the bill’s co-sponsors have described their legislation, and the amendments that he and others have offered to strengthen its privacy protections.
“We think that information sharing can be useful,” Wyden said. “But … information sharing without robust privacy protections—millions of Americans are going to say that’s a surveillance bill.”
What do you make of Sens. Richard Burr (R-N.C.), the Intelligence Committee chairman, and Dianne Feinstein (D-Calif.), the ranking member, repeatedly saying that data sharing under CISA would be voluntary, without clarifying that only the companies have a choice, not their users? Do you believe that they were intentionally misleading the American people about the reach and effect of data sharing?
“Information sharing without robust privacy protections—millions of Americans are going to say that’s a surveillance bill.”
Well, I’ll let them speak for themselves. But anytime you can try to make an argument that something’s voluntary, that causes people to say, “Aww gee, who can oppose this?” And especially when you’re talking about cybersecurity, because part of what they’re trying to say is, “Oh my goodness, there are cyber threats, we need this bill!” And of course, we would be the first to say that there are cyber threats—we’ve had Oregon companies hacked. Second, we think that information sharing can be useful. But third, information sharing without robust privacy protections—millions of Americans are going to say that’s a surveillance bill.
I think the fact that the sponsors were so sensitive to the opposition of the tech companies—I don’t know how many times they kept coming back to the fact that the technology companies really weren’t acting in the interests of the country. You saw some of their comments—“There’s no reason for them to be opposed.” [That] was because they know that these companies are experts in both cyber and privacy. They’re ones that are really knowledgeable about it, and they were opposed to the bill. Given that—that they were having to push back against the opposition of some of America’s cutting-edge companies—they were kind of reaching to try to argue that this is all voluntary.
But number one, it’s not voluntary for their customers, millions and millions of customers. And number two, to get the liability protection, the companies have got to say that they didn’t find anything personal and unrelated in a knowing fashion. And that’s going to be a pretty easy bar because they don’t have to do much to look! They don’t have any affirmative obligations to look. They have very little. Basically, they say, “Well, we’re obligated if we know [that there’s personal data in shared threat indicators].”
I’ll tell you what this bill says: “When in doubt, hand over the personal information to the government.” When in doubt. Your obligation is [that] if you know [there’s personal data], you don’t.
One provision of the bill—Sec. 105(3)(A)—appears to say that the “policies and procedures” for the Department of Homeland Security to scrub information from cyber threat data only allow delays for such scrubbing if the delay is “agreed upon unanimously by all of the heads of the appropriate Federal entities.” Doesn’t that give any one agency head a veto over the removal of personal information from data to be shared?
I think you’re right. You could have one person basically stand in the way. So one of the amendments that I feel strongly about is the amendment from Chris Coons that would in effect fix that limitation on DHS. I think that the Coons amendment, our amendment that would require an affirmative obligation to remove and review, to the extent feasible, personal information that isn’t related to cyber threats—those two are very much related, the Coons amendment and my amendment. And I spoke with Senator Coons about it before the procedural vote today.
I spoke to Senator Feinstein’s office about this provision, and their response was that this kind of unanimous agreement for scrubbing was in keeping with traditional practices for the drafting of cybersecurity guidelines. But this sounds different from that. Do you accept their explanation for this language? Does that make sense to you?
It doesn’t make sense to me, and I think the Coons amendment and my amendment complement each other. What we would do is say you’ve got to take affirmative steps to remove unrelated personal information. Senator Coons ups the ante in terms of affirmative obligations by DHS. And I think this is sort of reflective of what the sponsors have been saying. From the very beginning, they make these far-fetched claims. Then technologists look at it and say, “That’s not so.” They started off by saying that this was going to prevent an OPM attack. They went to USA Today, and finally they said that wasn’t the case.
“When you’re working here and up against these very powerful interests, you make sure that you’re not saying something’s done until it’s done.”
Today, on the floor of the Senate, if you look at those couple of minutes that Senator Burr and I and Senator Feinstein had, when we were jousting for our last couple minutes, Senator Burr gets up and says, “This wouldn’t have prevented the major attacks.” And he lists them. And then he said we should be for it anyway. I got up and said, “Well, Senator Burr and I agree that it wouldn’t prevent the major attacks, one. Two, the major technology companies in America, who know something about cyber threats and know something about privacy, say they’re opposed to it. And number three, why would you then say that this was really going to make a difference if you’ve acknowledged that it wouldn’t have prevented a major attack, and companies that really know something about cyber and also privacy are saying they oppose this because they have millions of customers and their customers want to make sure that those companies are addressing both?”
Do you believe that Senators Burr and Feinstein, the leaders of the Intelligence Committee, understand the technical details of these attacks well enough to know, as Senator Burr mentioned, that CISA would not address them?
I never question anybody’s sincerity. I just start with that. I’ve worked with both of them often. I’m not going to question their sincerity. I just think their arguments don’t add up! Just think about what I just said: You have the chairman of the committee saying it won’t prevent attacks. Then you have technology experts say[ing] that it won’t protect privacy. And yet the sponsors say, “Well, we should do it.” You say to yourself, “How does that add up?” Again, if you’ve acknowledged that it wouldn’t prevent attacks, and the most knowledgeable technologists and companies that make their living in this space say it won’t protect your privacy, and then you say, “Well, we’ll do it,” I just think that the arguments don’t add up.
I’m certainly not going to question their sincerity.
Have you heard from the leadership about whether or when your amendments will get votes? A number of votes have been scheduled for Tuesday. Do you know if yours and Senator Coons’ are going to be part of that?
I believe that they are. But when you’re working here and up against these very powerful interests, you make sure that you’re not saying something’s done until it’s done. But it’s our understanding that our amendments—we’ll get to offer them on Tuesday.
Do you think you have enough votes to get them passed?
It’s kind of like Yogi Berra—I always mangle the phrase, but, Yogi Berra said something along the lines of he doesn’t make predictions, especially about the future. I’m not going to make any predictions here.
You know—and you and I have talked about this—we won a lot of victories over the years after we had fewer votes than we got today. But Congress, particularly on technology issues—this country has been victimized by hacks, and people are concerned about it—Congress tends to react first, and then, on technology issues, make the numbers add up later on. And there’s a ways to go on that front for the reasons I’ve described.
Are you satisfied with the level of involvement from the tech companies opposing CISA? Would you look to see more from them and other Silicon Valley opponents?
I think the tech companies have been constructive. They’ve made it clear that, both from the cyber standpoint and from the standpoint of privacy and personal liberty, this doesn’t get the job done. They want policies that work, not policies that have glossy-sounding titles but really don’t get into the guts of the issues.
“Congress tends to react first, and then, on technology issues, make the numbers add up later on.”
I heard the sponsors of the bill repeatedly go through all of what they said were the privacy protections. And then I got up and said, “Let’s take a look at page 17 of this bill.” And then we just walked through why, with respect to real privacy protection, under this bill and the [amended version], there is no there there.
I want to wrap up by asking about Senator Whitehouse’s amendment that would increase computer-hacking penalties under the Computer Fraud and Abuse Act. At one point, it was apparently removed. Now, it sounds like it might be back in, thanks to some sort of compromise. Can you give me an update on that?
We’re working to see if there is a way that you can protect Americans’ data if the data is owned by a U.S. entity, regardless of where the attack on it was launched from, and not get into the CFAA changes. We are working on that discussion. Let us see how we do between now and Tuesday, but I obviously have strong views about the CFAA. It’s why Zoe Lofgren and I introduced Aaron’s law. I think it’s important to rein in these abuses, which in my view—and I spoke with Aaron’s family—I think you had a young man who was harassed. I don’t know any other way to describe it. I think he was harassed. That was not the purpose of the CFAA. I feel strongly about this. It’s why Congresswoman Lofgren and I introduced Aaron’s law. What we have been talking about with Senator Whitehouse [is] a way to protect Americans’ data if in fact it essentially is subject to attack from overseas.
Illustration by Max Fleishman