The Cybersecurity Information Sharing Act (CISA) is intended to make it easier for businesses and the government to share information with each other about cyber-attacks, removing existing legal barriers that prevent this.
Senate Intelligence Committee Chairwoman Dianne Feinstein said in a statement:
Every week, we hear about the theft of personal information from retailers and trade secrets from innovative businesses, as well as ongoing efforts by foreign nations to hack government networks. This bill is an important step toward curbing these dangerous cyberattacks.
To strengthen our [computer] networks, the government and private sector need to share information about attacks they are facing and how best to defend against them.This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information.
Organizations that share information would first have to strip out personally identifiable data, such as names, addresses, and Social Security numbers. Threat data can then be sent to a Department of Homeland Security portal from which it will be shared in real time with the likes of the Defense Department, the FBI and the NSA.
Feinstein argues that this passing on of information is logical:
I don't know what information you would be concerned about that NSA would have in an information-sharing bill. If somebody's hacking, you want [the information] to go where it needs to go.
- An EPIC fail over NSA and the 'high risk' cloud (diginomica.com)
- Has the European Court of Justice just holed Obama's NSA data gathering reform? (diginomica.com)
- It's perfectly legal for us to rummage in your cloud data, states UK's top spy boss (diginomica.com)
But civil liberties activists insist that CISA still fails to protect personal privacy rights and two committee members backed up these concerns. Gregory T. Nojeim, senior counsel for the Center for Democracy & Technology, stormed:
This is unacceptable. Users' communications information will continue to flow to the NSA under a cyber security umbrella even when it is irrelevant to a cyber threat.
Gabe Rottman, American Civil Liberties Union legislative counsel, added:
It’s extraordinary given what we’ve learned in the past year. You would hope that Congress would be more protective of privacy rather than less.
Two members of the Senate Committee sided with the protestors. Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) said:
We have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security. The only way to make cyber security information-sharing effective and acceptable is to ensure that there are strong protections for Americans’ constitutional privacy rights.
Without these protections in place, private companies will rightly see participation as bad for business. We are concerned that the bill lacks adequate protections for the privacy rights of law-abiding Americans, and that it will not materially improve cyber security.
Taking a liberty
Warnings had been flagged up to the commitee in advance in the form of a joint letter from the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation and other privacy groups in which they argued that far from reining in NSA surveillance, the bill would encourage a vast flow of private communications data to the NSA.
Supporters of the legislation include US financial services industry lobbyists, including the American Bankers Association and the Financial Services Roundtable.
In a joint letter from Frank Keating, president and chief executive officer of the American Bankers Association; Tim Pawlenty, president and CEO of the Financial Services Roundtable; and Kenneth Bentsen, president and CEO of the Securities Industry and Financial Market Association, the three groups call CISA:
a very good step forward. The threat of cyber-attacks is a clear and present danger to our industry and to other critical infrastructure providers that we and the nation as a whole rely upon. [CISA] further strengthens the ability of the private sector and the Federal government to work together to develop a more effective information sharing framework to respond to cyber threats.
CISA is the follow-up to the Cyber Intelligence Sharing and Protection Act (CISPA), which passed the House last year, but stalled after more than 100,000 people signed a protest petition on the White House web site, causing the Obama administration to threaten to veto CISPA.
Ironically CISA progressed to its next stage only days after The Washington Post ran a story proclaiming that 90% of people whose communications were intercepted by the NSA were ordinary internet users, not foreign spy or terror suspects.
The newspaper said it reviewed some 160,000 emails and instant-messages and 7,900 documents from some 11,000 online accounts gathered by the NSA between 2009 and 2012 and found that nine out of 10 of the account holders - both US based and overseas - were not the intended surveillance targets.
CISA now heads to the full Senate for a vote, but may yet stumble due to a shortened legislative calendar, and likely growing opposition at large. Feinstein her admits:
This is the first bill in a very difficult arena. It’s very much a first step. Later on there may be other steps that need to be taken.
As ever, the road to hell is paved with good intentions.
What Feinstein and her colleagues are trying to do is almost certainly a well-intentioned attempt to tackle cyber-security concerns among businesses, particularly in the financial services sector.
Supporters of the bill repeated raised the threat from cyber-hackers to the US economy- about which, as Bill Clinton reminded, it is all about.
But if this laudable ambition adds to the data collecting powers of the NSA, then pushing the bill as strongly as this indicates a decided lack of political radar when it comes to post-Snowden sensitivities.