To the consternation of many — tech companies, privacy advocates, and civil liberties groups included — members of the Senate voted overwhelmingly Tuesday to pass a version of the Cybersecurity Information Sharing Act, a bill that many opposed argue will lead to continued pervasive government spying.
In the eyes of privacy advocates, the bill, which passed with a final vote of 74 to 21, is marred by the inclusion of security language so broad it may ultimately wind up undermining privacy laws already on the books.
At its crux, the goal of the bill is to foster a stronger relationship between companies when it comes to sharing information about potential cyberattacks with the government. The bill is partially a response to the seemingly endless line of data breaches that have affected companies over the past year like Anthem, Sony Pictures, JP Morgan Chase, and the Office of Personnel Management. Yet the lack of legitimate cybersecurity terms in the bill have many critics wondering whether it will simply make it easier for public and private entities to share information about other users with each other. After sharing information with the Department of Homeland Security, the department will be able to forward that information along to the FBI and NSA.
A conference committee between the House of Representatives and the Senate is expected to hash out the bill’s language further, but experts are skeptical any further tweaks would remedy the issues that have been plaguing the industry as of late, such as weak encryption and an apparent lapse in security training for federal employees.
Unlike CISPA, which the Obama administration threatened to veto citing privacy concerns back in 2012, CISA has the White House’s backing.
The Electronic Frontier Foundation, which has disapproved of the bill ever since it was floated to the Senate floor in mid-March, expressed its disappointment following the vote Tuesday.
“The passage of CISA reflects the misunderstanding many lawmakers have about technology and security,” Mark Jaycox, a legislative analyst with the EFF wrote Tuesday, “With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity. It chose to do the wrong thing. EFF will continue to fight against the bill by urging the conference committee to incorporate pro-privacy language.”
As Jaycox notes, CISA is lacking when it comes to actual pro-privacy language.
When companies share what CISA advocates call “cyber threat indicators,” or information that may lead to a cyber attack, objectors to the bill argue the floodgates could open and lead to the erosion of privacy protections.
Last week, two members of the Senate in support of CISA, Dianne Feinstein (D-Calif.) and Senate Intelligence Committee chair (and CISA sponsor) Richard Burr (R-N.C.) released a fact sheet in an attempt to debunk myths around the bill. The two assured citizens that the Act “helps protect personal privacy, by taking steps to stop future cyber-attacks before the happen.”
While many opponents have argued that the bill will allow the government to outright spy on citizens, Feinstein and Burr stressed that sharing under the bill is voluntary and that companies will have a choice whether or not it they want to participate in the threat information sharing process.
“CISA provides a framework for cooperation on cybersecurity in a way that protects privacy by authorizing public and private entities to take defined, limited cybersecurity actions that can better protect businesses and government entities,” the two wrote.
One of the loudest government voices against CISA and federal surveillance as a whole, Sen. Ron Wyden (D-Ore) vowed yesterday to continue to fight the bill, which he’s called “flawed” and just “feel-good legislation.”
“The fight to secure Americans’ private, personal data has just begun,” Wyden said following the vote. “Today’s vote is simply an early, flawed step in what is sure to be a long debate over how the U.S. can best defend itself against cyber threats.”
Wyden, a noted opponent of the NSA’s surveillance practices, has argued in favor of laws in the past that would tighten the noose on government surveillance. Yesterday he warned that as it stands now, CISA would allow reams of Americans’ personal data to be shared with the NSA and the FBI.
“As today’s votes showed, a significant portion of the Senate believes more must be done to filter out Americans’ personal information before data is handed over to the government. As this legislation proceeds, I’ll continue to work with my colleagues to secure better protections for individuals’ personal information,” Wyden said.
Wyden and several other senators attempted to modify CISA on Tuesday with four amendments that would’ve hardened some of the bill’s privacy-centric protections, yet each one failed.
Both Wyden and Dean Heller’s (R-Nev.) amendments would have stripped personal information from data companies share with the government, Al Franken’s hoped to change the definition of information that could be shared, and Patrick Leahy (D-Vt.) argued that a provision in the bill would’ve weakenend the Freedom of Information Act (FOIA).
Next, lawmakers from both the Senate, and the House, which passed a companion bill of sorts, the Protecting Cyber Networks Act earlier this year, will have to convene and find common ground before the bill can be signed into law.
