They say the first step is admitting you have a problem. But sometimes that's the easy part.
When it comes to cybersecurity, it seems everyone in Washington admits we have a problem. It's in the solutions phase where things really start to fall apart for policymakers.
Instead of focusing on ways to make our data (and the devices we store it on) more secure, Washington keeps offering up "cybersecurity" proposals that would poke huge holes in privacy protections and potentially funnel tons of personal information to the government, including the NSA and the military.
Thursday, the Senate Intelligence Committee met behind closed doors to mark up the Cybersecurity Information Sharing Act of 2015. They voted 14–1 to advance the bill, with Senator Wyden offering the lone no vote.
Unfortunately, by all accounts, CISA is one of those privacy-shredding bills in cybersecurity clothing.
If you remember CISPA, the information-sharing bill that fell under the weight of its privacy failings last Congress and even drew a veto threat from President Obama, the problems with CISA might sound a little too familiar. This bill is arguably much worse than CISPA and, despite its name, shouldn't be seen as anything other than a surveillance bill – think Patriot Act 2.0.
The bill could also pose a particular threat to whistleblowers – who already face, perhaps, the most hostile environment in U.S. history – because it fails to limit what the government can do with the vast amount of data to be shared with it under this proposal. CISA would allow the government to use private information, obtained from companies on a voluntary basis (and so without a warrant) in criminal proceedings – including going after leakers under the Espionage Act.
If you are wondering how giving companies a free pass to share our personal information with the government will make our data more secure, you aren't alone. We've already written about why real cybersecurity doesn't need to sacrifice our privacy.
The ACLU also recently joined with a broad coalition to remind the committee about some of these problems – problems which have not been adequately addressed in the Senate's proposal.
The letter reads, in part:
We now know that the National Security Agency (NSA) has secretly collected the personal information of millions of users, and the revelation of the programs has created a strong need to rein in, rather than expand, government surveillance. CISA disregards the fact that information sharing can – and to be truly effective, must – offer both security and robust privacy protections. The legislation fails to achieve these critical objectives by including: automatic NSA access to personal information shared with a governmental entity; inadequate protections prior to sharing; dangerous authorization for countermeasures; and overbroad authorization for law enforcement use.
You can read the full letter, and view the full list of signatories, here.