Pressure is mounting against a cybersecurity bill that critics say endangers Americans’ privacy while still failing to protect against cyberattacks.
Security researchers this week joined privacy advocates in calling on President Obama to veto the Cybersecurity Information Sharing Act (CISA), which would let private companies share cyberthreat information with the United States government.
With the Senate set to take up CISA as early as Thursday morning, 68 technology professors, systems engineers, and IT consultants have written to Obama urging him not to sign it if it reaches his desk.
“We strongly oppose CISA and we urge you to again defend privacy and civil liberties.”
“CISA fails to address many of the concerns raised about preceding information sharing bills that the administration opposed, and it threatens to undermine privacy and civil liberties and increase cybersurveillance,” the letter says. “We strongly oppose CISA and we urge you to again defend privacy and civil liberties by voicing your opposition and your intention to veto it.”
A broad spectrum of civil-liberties groups, including the American Civil Liberties Union, the Electronic Frontier Foundation, the Government Accountability Project, and Human Rights Watch, also signed the letter. On Monday, several of those groups launched a campaign to inundate lawmakers with anti-CISA faxes.
A White House spokesman declined to comment on the legislation as it was still pending in Congress.
CISA is supposed to help the government and private companies better respond to cyberattacks by making it easier for them to share information about cyberthreats and learn from their mistakes. But the bill’s vague language has privacy groups worried that it could do more harm than good.
The letter from the experts and privacy advocates reminded Obama of his previous veto threats against the Cyber Intelligence Sharing and Protection Act (CISPA), CISA’s failed predecessor. Obama threatened to veto CISPA because of, among other things, inadequate protections for users’ personal information that could be swept up in the data-sharing process. CISA, the letter said, suffered from the same privacy flaws.
“CISA permits companies to leave personal and identifying information in [threat data] it shares with the government unless the company affirmatively knows that the information is not directly related to a threat—a condition that would rarely be met,” the letter said.
The coalition of experts and advocates also took issue with the bill’s language concerning how shared information could be used.
CISA does not specify what kinds of government investigations can use threat data from private businesses. In addition, tech companies are allowed to share data even when they do not believe it relates to a cybersecurity threat. Thus, the letter warned, companies could share data with the government to help it investigate crimes unrelated to the spirit of CISA—crimes that would normally merit stronger data-access protections.
The letter concluded by listing a bevy of other concerns with CISA’s vague language, including its provision letting businesses deploy unspecified and potentially dangerous “countermeasures” in response to cyberattacks.
The tech industry is not unanimously opposed to CISA. The Information Technology Industry Council, a major tech trade group, announced last week that it was urging senators to vote for the bill and said that it would “score” each of their votes in its congressional scorecard.
Photo via The White House/Flickr (PD) | Remix by Jason Reed