CISA Passes Senate: What Is It and Should the Internet Be Worried Yet Again?
On Tuesday, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA) with an overwhelming 74 to 21 vote. The bill has been stirring controversy in the worlds of information technology and privacy advocacy, and now it's on track to arrive at the president's desk, after the Senate and House conference committee works out the final language.
So what is CISA, and should the Internet's denizens be worried about the new legislation? Here's a primer.
What is CISA?
The Cybersecurity Information Sharing Act is a bill proposed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes," as the Senate's introduction draft describes.
As far as the cybersecurity part of CISA, it's designed to help IT companies like Google share information about threats and possible cyberattacks with the government, through certain legal protections that limit liability for the companies for sharing the information.
It's also designed to set up efficiencies in the process so that cyber threat information is shared in a real-time manner, so that threats in-progress can be stopped before they do the kind of damage you might remember from the Sony Pictures and Target hacks.
The Obama Administration supports the bill, saying it's "an important building block for improving the Nation's cybersecurity ... ensuring that private entities can collaborate to share timely cyber threat information with each other and the Federal Government." Proponents also emphasize that the information sharing is voluntary, and that companies can only share information having to do with cyber threats, while the government can only use the shared data for cybersecurity reasons.
Who's Worrying?
To put it plainly, all the parts of CISA under the "for other purposes" part of its original description have IT companies and privacy advocates quite worried.
For those who remember the Internet's uproar against SOPA and PIPA in 2012 when sites IT giants like Google, Mozilla, Tumblr, and Twitter spoke out against the legislation -- and Wikipedia and Reddit went as far as blacking out their sites days before Congress's vote -- CISA has produced a similar outrage among many in the technology industry.
Experts from Apple, IBM, Twitter, Mozilla, Amazon, Cisco, CloudFlare, MIT, as well as many independent cybersecurity experts and academics from across the nation are all against CISA this time, though a SOPA/PIPA-style protest blackout of major sites on the Internet doesn't seem likely at the moment.
And for those who remember the following year's Cyber Intelligence Sharing and Protection Act (CISPA), which died in the Senate after a laundry list of technology rights and privacy advocacy groups also protested, CISA is essentially the resurrection of that bill -- the name is even similar, but without the "protection" part.
Why Worry?
Critics say that CISA is a dangerous bill that, rather than increasing data security across the nation's networks, actually fails at that task, while opening the door for government snooping wider than ever before.
For example, besides enabling private companies to share information with the Department of Homeland Defense, CISA entails DHS will automatically and immediately pass tech companies' shared information to the Department of Defense, the Office of the Director of National Intelligence and the biggest data vacuum of all, the National Security Agency. Sen. Ron Wyden of Oregon, one of the biggest opponents of the bill, told Gizmodo that CISA was a "direct pipeline to the NSA."
On top of the new "post to all agencies" pipeline for companies' otherwise private data, CISA doesn't specifically define what information companies should share with the government, other than a the idea that the data could be a "cyber threat indicator." It also provides no guidance about what data companies should anonymize or minimize, or what personal information shouldn't be sent, unless there's specific proof that it is not related to a threat.
And finally, a lot of experts fear CISA opens the door for more domestic surveillance without actually making the nation's networks any more secure. "The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities," wrote the Electronic Frontier Foundation after the Senate version passed on Tuesday. "The passage of CISA reflects the misunderstanding many lawmakers have about technology and security."
The EFF is a well-known progressive advocacy group and opponent of much government control over cyber -- but even DHS Deputy Secretary Alejandro Mayorkas (via TechCrunch) wrote that, in eliminating important privacy protections, CISA could weaken the overall security of the nation:
"The authorization to share cyber threat indicators and defensive measures with 'any other entity or the Federal Government,' 'notwithstanding any other provision of law' could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers."
Mavorkas added that in trying to incentivize data sharing, CISA "undermines that policy goal, and will increase the complexity and difficulty of a new information sharing program."
In what may be a first, NSA whistleblower Edward Snowden shared similar sentiments with top DHS brass, recently telling Reddit regarding CISA, "It's not going to stop any attacks. It's not going to make us any safer. It's a surveillance bill. "
Here's the full text of the bill passed on Tuesday by the Senate, after five separate amendments meant to add protections and limitations were all defeated.
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!