Information-Sharing Bill Would Extend NSA’s Reach, Opponents Argue
Dozens of organizations and individuals, including some of the nation’s leading security experts, have come together to urge lawmakers to oppose the Cybersecurity Information Sharing Act, a bill whose backers say would “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.”
Some of the bill’s opponents — including the American Civil Liberties Union, the Free Press Action Fund, the New America Foundation and 45 others — sent a letter this month to the Senate Select Committee on Intelligence, arguing that, despite the bill’s name, CISA would do little to strengthen cybersecurity and would actually expand unnecessary surveillance on Americans.
The proposed law, which is currently being considered by the Senate panel, would set up a new network for private corporations to share customer data with nearly all levels of law enforcement and intelligence. That data might include anything from customers’ names to their Internet histories to the content of their communications. However, the bill does not include any measures to increase protection of such sensitive personal information.
“Congress has been pursuing deeply flawed info-sharing bills like CISA for nearly half a decade, and each bill has stalled because of serious concerns raised by the privacy community,” Robyn Greene, policy counsel with New America’s Open Technology Institute, said in a statement. “Now that security experts are joining our opposition, and telling them that CISA isn’t just bad for privacy but bad for cybersecurity itself, perhaps Congress will finally reassess its approach.”
According to Greene, the level of sharing permitted under CISA would extend the reach of NSA surveillance because there would be no checks or balances on the new authorities that it would grant. In contrast, at least a court is involved in approving the actions of the intelligence agencies conducting surveillance under the Foreign Intelligence Surveillance and Patriot Acts.
CISA would allow “private companies to share any information deemed to be an indicator of a cyberthreat (called a signature) — free of liability and without any guarantee that a review process has taken reasonable steps to remove personal information beforehand,” privacy expert Joshua Kopstein, who did not sign the letter, wrote at Al Jazeera America. “Once shared, the National Security Agency will be able to access all the data in real time, and law enforcement agencies will be allowed to retain and use it for a broad set of purposes, not just imminent threats to life and limb.”
One other alarming provision of CISA as it is currently written would allow companies to instigate “countermeasures” against possible cyberthreats while being given immunity from prosecution for wrongful attacks.
The bill would give “companies permission to retaliate against hackers, as long as they don’t intentionally damage another U.S. entity’s computer systems in the process,” Kopstein wrote.
But for a company to instigate countermeasures against a possible cyberthreat, it would likely have to destroy data or block data channels. In carrying out those measures, it could damage networks and servers unrelated to the alleged threat, which could have unintended consequences.
For example, if a real hacker routed his or her attacks through an innocent bystander’s network — a hospital’s, let’s say — those countermeasures could have disastrous consequences, and because a company instigating such a clumsy counterattack would know that it could not be prosecuted, it would have little reason to consider alternative responses.
CISA would also permit law enforcement to use data from citizens for investigations not related to cybersecurity. As the signers of the letter put it: The bill would permit “law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force, including those that involve no threat of death or significant bodily harm.” In other words, law enforcement could use personal data to aid all kinds of investigations not directly connected to the data, even very minor ones.
The intelligence committee can decide either to reject the bill or to add amendments and move it forward to the full Senate for a final vote. Amendments could still be added at that point, Greene told Truthdig, but it is unlikely that they would be significant.Wait, before you go…
If you're reading this, you probably already know that non-profit, independent journalism is under threat worldwide. Independent news sites are overshadowed by larger heavily funded mainstream media that inundate us with hype and noise that barely scratch the surface. We believe that our readers deserve to know the full story. Truthdig writers bravely dig beneath the headlines to give you thought-provoking, investigative reporting and analysis that tells you what’s really happening and who’s rolling up their sleeves to do something about it.
Like you, we believe a well-informed public that doesn’t have blind faith in the status quo can help change the world. Your contribution of as little as $5 monthly or $35 annually will make you a groundbreaking member and lays the foundation of our work.Support Truthdig