We all want the world to be a safer place. We want to be protected from cyberattacks, security breaches and terrorism aided by the Internet. And so, in theory, a piece of legislation wending its way through Congress, called the Cyber Intelligence Sharing Act (CISA) should have plenty of support from the tech industry, academics, citizens and others.
That it instead has been greeted as a dangerous, privacy-endangering proposal that would do little to keep us safe is a testament to just how shallowly Congress understands technology. Our national legislators seem to favor applying simple-minded, even misguided, fixes over paying serious attention to problems.
The idea behind the bill has some merit. It’s stated intention is to encourage private companies and government agencies to share information that could identify potential cyberthreats and cybercriminals. But although that goal sounds good, tech companies, privacy experts and academics warn that the actual bill is a significant privacy invader that will do nothing to keep us safer.
The Electronic Frontier Foundation sums up opposition to it in this way: “The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities.”
One of the biggest problems is that the proposal would allow companies to share a great deal of private information about people with one another and with the government — and that information can be used for purposes that have nothing to do with cybercrime investigations. What’s more, the information that can be shared is defined far too broadly, possibly including private emails, credit card statements and even private health data.
It gets worse from there. Under the legislation, private companies would get immunity from liability they might otherwise incur from sharing your data with others. And they would be exempt from the Freedom of Information Act. That means you won’t even be able to find out whether your information is being shared.
So it’s no accident that many people consider CISA not a cybersecurity bill but a surveillance bill. And they warn that, if passed, it would make us less, not more, secure. An open letter to Congress from professors who specialize in cyberlaw and cybersecurity warns that “CISA will weaken privacy and encourage governmental surveillance, with little upside for the public.” An accompanying letter from technologists, academics, and computer and network security professionals warns, “This excess sharing will not aid cybersecurity but would significantly harm privacy and could actually undermine our ability to effectively respond to threats.”
For similar reasons, Salesforce, Reddit, Yelp, Twitter and Apple all oppose CISA, as do the trade groups the Computer and Communications Industry Association and the Business Software Alliance, which count among their members Adobe, Dell, IBM, Microsoft, Oracle, Symantec, Amazon, Facebook, Google, Netflix and Yahoo.
If the bill passes, private information about people would flow from corporations to the Department of Homeland Security, and from there to the National Security Agency. Sen. Ron Wyden (D-Ore.) warns that it would be a “direct pipeline to the NSA.” The information would also be shared with the Department of Defense and the Office of the Director of National Intelligence.
Do you trust your private information with these agencies? You shouldn’t, and not just based on past experience of how they use data. The heads of the agencies have shown that they can’t be trusted to safeguard even their own private information. CIA chief John Brennan had his private AOL account hacked into by a teenager — and the account had emails that contained Social Security numbers and other private information of more than a dozen intelligence officials. How did the teenager break in? By pretending to be a Verizon employee and getting information directly from Brennan that ultimately let him get into the account. The teenager did something similar to break into a private email account of Department of Homeland Security Secretary Jeh Johnson. If Brennan and Johnson can’t protect their own private information, do you really think they can protect yours?
CISA isn’t law yet. It was passed by the Senate in late October. Two similar bills were passed by the House of Representatives. Now the Senate and House have to wrangle out their differences and pass a combined piece of legislation. President Obama has signaled that he’ll sign it.
Bipartisanship seems to be at work, because both Democrats and Republicans have signed on to supporting CISA and other bills like it. If this is what we get from bipartisanship, maybe having the parties work together is not such a good thing after all.
This story, "Congress targets cybersecurity; you’re the victim" was originally published by Computerworld.