Now that Congress has finally approved the USA Freedom Act, the next big cyber debate is shaping up around the Cybersecurity Information Security Act (CISA).
And, like the USA Freedom Act and the Patriot Act before it, the measure’s backers split down a line with security advocates on one side, against privacy advocates on the other.
CISA aims to increase information sharing about data breaches among both industry and government, in order to prevent and respond to future cybersecurity threats. The voluntary framework incentivizes companies to share their sensitive data with the government through expanded legal liability and immunity.
Sound familiar? CISA is actually a reincarnation of CISPA, the Cyber Intelligence Sharing and Protection Act, which Congress has flirted with since 2011.
CISA backers, including a bipartisan collection of legislators featuring co-author Sen. (D-Ca) Dianne Feinstein, Sen. Patrick Leahy (D-VT), and Sen. Richard Burr (R-N.C.), government officials and industry groups, say sharing details of cyberattacks will lead both industry and government to harden their networks against attacks. While out of the Intel committee – on a 14-1 vote – the bill has yet to make it onto the Senate floor.
One group backing the measure is the Health Information Trust Alliance (HITRUST), which said in a statement that the bill will “provide legal certainty that companies sharing that information have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and defensive measures in real time and taking actions to mitigate cyberattacks.”
Sen. Mark Warner (D-Va.) is among the legislators in favor of action on the measure. Warner added an amendment to CISA requiring the intelligence community produce a comprehensive account of cyberthreats as well as new technologies to detect breaches.
Sen. Warren said it’s not the government that wants to obtain citizen’s personal information, but hackers.
“Cyberattacks present a critical threat to our national security and our economy,” Warner said in a statement. “We cannot afford to keep dragging our feet in addressing the escalating threats posed by hackers out to steal individuals’ personal information.”
Patriot Act 2.0?
But privacy critics object, arguing CISA will drive companies to monitor internet users too closely.
“CISA could actually result in the kind of bulk surveillance activity that USA Freedom is intended to stop,” said Gabe Rottman, legislative counsel and policy advisor for the American Civil Liberties Union (ACLU), which opposes CISA. “Once information flows from the private sector to the government, the military and intelligence community could store and mine it for purposes that go far beyond ‘cybersecurity.’”
Rottman is particularly wary of a provision that exempts Freedom of Information Act data shared with the government under CISA. The ACLU also contends that the broad legal protection granted to companies is essentially a license to be negligent with customers’ personal information.
In a blog post, the ACLU’s Rachel Nusbaum labeled it the “Patriot Act 2.0.” Nusbaum wrote that whistleblowers in particular could be hurt.
“CISA would allow the government to use private information, obtained from companies on a voluntary basis (and so without a warrant) in criminal proceedings – including going after leakers under the Espionage Act,” Nusbaum wrote.
Privacy advocates say CISA could serve as an alternative NSA surveillance tool. Section 5A of CISA authorizes federal agencies to “disclose, retain, and use” shared data for many purposes beyond promoting cybersecurity.
That may be why, in March, Sen. Ron Wyden – the only member of the Senate’s intelligence committee to oppose the bill – detailed his privacy concerns in a statement.
“If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill – it’s a surveillance bill by another name,” he wrote. “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”
Meet in the Middle?
“If anything, the primary criticism leveled at them [government] – that the policies allow the sharing of too much data with too many people for too wide a variety of purposes – suggests we need to pare down, rather than expand, the types of information that [the bill] covers,” writes Slate’s Josephine Wolff. “We don’t need a cybersecurity information sharing policy, in other words. We need several.”
Join the conversation. Post a comment below or email me at firstname.lastname@example.org.