The Chamber of Commerce Needs to Get Its Facts Straight on CISA

This week the Chamber of Commerce doubled down on its support of privacy-invasive cybersecurity-information-sharing legislation. The bill in question, the Cybersecurity Information Sharing Act, gives broad liability protection to companies sharing private user information with the government, and it lets the government use the shared information for investigations and prosecutions that have no nexus to cybersecurity.

Just one week after Senate leadership announced they were scuttling plans to jam CISA through before their August recess, the chamber has tried to take privacy advocates to task for spreading myths about just how bad the bill really is.

But in reality, it’s the chamber that is way off the mark on CISA. The simple fact is that nearly every privacy group on the record opposes CISA, and over 6 million faxes have been sent to Congress to say the same.

But still the chamber boldly claims that the facts don’t support what we’ve been saying all along: CISA is a surveillance bill. But our fact check tells a very different story.

Chamber Myth #1: CISA’s definition of cyber threat indicator is very limited.

Fact: The definitions CISA uses are broad and vague. For instance, a cyber threat indicator, though slightly improved in the latest version of the bill, can still include “any attribute” of a cybersecurity threat. This language is broad enough to include the content of communications and other personal identifying information. And as discussed below, much of that personal information will flow to the government.

Chamber Myth #2: CISA does not authorize the government to surveil individuals, such as targeting crimes unrelated to cybersecurity.

Fact: The government can use information shared from companies to prosecute and investigate economic crimes as well as crimes under the Espionage Act. The latter has been used to prosecute whistleblowers and investigate journalists as spies, all of whom are exposing serious government misconduct.

Chamber Myth #3: CISA contains multiple, overlapping provisions to guard and respect privacy.

Fact: CISA only requires that companies remove personal information from what they share with the government if they “know at the time of sharing” that the information is not “directly related” to a cybersecurity threat. This knowledge requirement opens the door for companies to share information without scrubbing it for personal data because they may not know if it is directly related to a cybersecurity threat or not.

Chamber Myth #4: Businesses are not granted liability protection when sharing cyber threat indicators with the Department of Defense or NSA.

Fact: This one is pretty mythical. Companies receive liability protection from all privacy laws when they share information with the Department of Homeland Security. DHS is then required to forward all shared data directly with the NSA, FBI, and others, without change.

Despite claims to the contrary from the chamber and Senate leadership, CISA is a surveillance bill at its core — and one that is likely to make cybersecurity worse, not better. Privacy groups, technologists, and tens of thousands of Americans haven’t been fooled.

When the Senate comes back from recess, they should recognize the fact that it’s time to give up on CISA, and all surveillance bills masquerading as cybersecurity bills, for good.

CORRECTION: The original post incorrectly stated that over 6 million Americans faxed Congress to protest CISA. In actuallity, approximately 60,000 Americans sent over 6 million faxes. We regret the error.