What do numerous privacy groups, civil liberties organizations, open government advocates, free market proponents, technologists, and the Department of Homeland Security have in common? Deep concern about the Cybersecurity Information Sharing Act, or “CISA,” a bill expected to come to a vote this week in the Senate.
As we’ve said before, CISA is the latest attempt to pass a bill that would give companies broad legal protections when they share personal information with the government and then allow the government to use that information for surveillance.
Now even DHS is joining the chorus of experts who agree that CISA is terrible. In a letter responding to questions from Sen. Al Franken (D-Minn.), DHS warned of the ways CISA could harm privacy and increase “complexity and difficulty” in responding to cybersecurity threats. In fact, the letter confirmed virtually all of our concerns about the bill:
CISA won’t improve cybersecurity
DHS already has a central hub created to promote sharing of cyber threats between private industry and the government. CISA would make this system less effective.
Because CISA bypasses all privacy laws and allows companies to share cyber threat information, which could include personal data and communications, with “any federal entity,” it would actually make the job of keeping track of real cyber threats difficult. CISA would “limit the ability of DHS to connect the dots and proactively recognize emerging risks,” according to the letter.
Add this to the already overwhelming evidence that CISA makes Americans’ online data less secure by making the government an even more tempting target for hackers.
Cybersecurity is a civilian mission and must be under civilian control
CISA takes authority away from DHS and gives it to military and intelligence agencies. In addition to allowing companies to share directly with any agency, CISA requires that all cyber threats shared with DHS be automatically and immediately forwarded to agencies like the FBI and NSA.
This is the opposite of what should be happening. As DHS points out in its letter, it is fully capable of doing a privacy scrub of the information it receives and still share it in a timely manner. But if CISA passes, that personal information — records about your finances, health, reading habits, and even your guns — would flow as-is to the NSA and military, where it can be used in ways that look an awful lot like the bulk surveillance activities revealed over the past couple of years.
It’s time to let CISA die
Back in 2012, Obama vowed to veto the similarly titled and similarly dangerous Cyber Intelligence Sharing and Protection Act, or CISPA. At the time, the Obama administration said that CISPA “fails to provide authorities to ensure that the nation’s core critical infrastructure is protected while repealing important provisions [of privacy law].”
If that sounds familiar, it’s because many of the arguments against CISPA apply to CISA. The bill harms privacy and fails to protect companies, the government or individuals against cybersecurity threats. It’s time the Senate heed everyone’s warnings and let CISA die.