Congress on Friday passed an omnibus budget bill that included the Cybersecurity Information Sharing Act, or CISA.
TheSenate earlier this year passed CISA, which many conservative and liberal politicians, high-tech firms, and privacy and civil liberty advocates oppose.
The latest version includes amendments that will allow corporations to freely share customers’ information with the government.
“This is the worst version of CISA yet, and we are deeply disappointed by its likely passage,” Mark Jaycox, legislative analyst at theElectronic Frontier Foundation said before the vote. “Such key legislation should not be sandwiched into a 2,000-plus-page federal spending bill.”
Truth in Government
The legislation “should have followed the normal process — a formal conference committee bill that’s sent back to the House and Senate separately for an up-or-down vote,” he told the E-Commerce Times.
Adding CISA to the omnibus budget bill “is why folks don’t trust the government,” said Rob Enderle, principal analyst at the Enderle Group.
“It’s fundamentally antidemocratic,” he told the E-Commerce Times.
Objections to the Latest Version
This version of CISA essentially lets private firms monitor their systems and access information flowing through them so long as they declare that it is being done for cybersecurity purposes.
Private organizations will be able to hand data, including private personal information, over to the federal government with legal immunity as long as they categorize it as cyberthreat information.
Further, there will be few, if any, restrictions on how the government can use the data it receives.
“Removing some of the legal restrictions on sharing cybercrime or threat data with the government is a win,” Erik Knight, president ofSimpleWan.
“However, it’s a blow to individual privacy rights,” he told the E-Commerce Times.
Data shared with the U.S. National Security Agency is useless without personally identifying information, and “almost negates the use for the NSA,” Knight said. It “will just show trends, not necessarily prevent any kind of active threat.”
On the other hand, “without restrictions on even protecting this data, most private data could become public, especially if the government has another data breach,” he said.
Too Much Information
TheU.S. Department of Homeland Security is concerned about the flood of information that will come down the pipeline with the passage of CISA.
The bill’s authorization to share data with any federal agency “will increase the complexity and difficulty of a new information sharing program,” DHS Deputy Secretary Alejandro Mayorkas wrote in July in response to a query from Sen. Al Franken.
Further, it “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers,” he said.
The administration “should work harder to make more efficient use of the information they currently have legal access to before moving to violate our privacy to get more information they can’t effectively use,” Enderle said.
“The latest attack [in San Bernardino, California] was conducted by people who acted like terrorists on social media, and [federal agencies] couldn’t even pick that up,” he noted.
Opposition to CISA
Rep. Jim Jordan, chairman of the House Freedom Caucus, on Wednesday reportedly offered an amendment to the government funding bill that would have removed an undisclosed cybersecurity measure, among other things. It was filed to the House Rules Committee.
Fight for the Future has set up the ObamaDecides campaign opposing CISA. President Obama must sign the bill into law.
CISA “will not do anything to prevent cyberattacks,” said campaign director Evan Greer. It “gives companies an incentive to share data because they can then pass the buck to government when there’s a problem.”
Google and Facebook “haven’t done enough,” she told the E-Commerce Times, and are “hiding behind their industry body.”