The Cybersecurity Information Sharing Act (CISA) — the private-public data-sharing bill dividing lawmakers, tech companies and civil liberties groups all summer — gained powerful supporters and detractors this week, as Congress prepares to renew debate on the bill following its August recess.
USTelecom, one of the broadband industry’s biggest lobbying firms and the Electronic Frontier Foundation, the digital civil liberties group behind a number of lawsuits filed against the federal government over mass surveillance, are two of the biggest groups to make new arguments for and against CISA this week.
“[T]his legislation is fundamentally about enabling American companies to monitor and protect American information systems, safeguarding them from harm against [cyber threat indicators] by empowering the more rapid and efficient sharing of information specifically about those CTIs,” USTelecom said in a blog post Thursday.
“The bill is not about authorizing either American companies or the government to proactively go out and spy on either Americans or foreigners in search of information about their online activities or communications.”
According to the legislation, CISA will allow private companies like Google, Facebook, Microsoft and others to legally share CTIs — typically code associated with software used in cyberattacks including viruses, malware, botnets, etc. — with federal intelligence, law enforcement and defense agencies.
“[W]hatever legal authorities the federal government may have to engage in communications and online surveillance activities derive from an entirely different source,” the blog continued. “This legislation will neither add to nor detract from those separate authorities.”
Yet that’s exactly what the bill will do according to EFF and others, who previously described CISA as a “surveillance bill masquerading as a cybersecurity bill.”
“EFF opposes the bill because its vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users’ privacy,” the group wrote in a blog post Thursday before going on to criticize recent White House support for the bill.
“The Obama administration’s endorsement is a complete reversal from its previous stance on privacy-invasive cybersecurity bills. In 2012, the White House published a detailed two-page veto threat against CISA’s antecedent, the Cybersecurity Information Sharing and Protection Act (CISPA).”
At the time the White House noted CISPA “lacks sufficient limitations on the sharing of personally identifiable information between private entities” and “inappropriately shield companies from any suits where a company’s actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated federal criminal law or results in damage or loss of life.”
“The same is true of CISA, which is why the administration should’ve vetoed the bill,” EFF wrote, adding that the bill does not mandate companies remove unrelated personal user data before sharing it with the government.
Such data includes IP addresses, emails and user account information like passwords.
The government can then use those indicators to surveil suspicious targets. In the case of the NSA, that means an expanded pool of “selection terms” the agency uses during upstream surveillance — when it intercepts international and domestic data as it transmits across the undersea cables and switches that make up the global Internet’s infrastructure.
Detractors further point out CISA fails to address the major causes of recent successful cyberattacks like one launched against the Office of Personnel Management — unencrypted files, un-updated software, poor or outdated system architecture and employees mistakenly downloading malware.
Republican leaders in the Senate initially planned to vote on the bill before this month’s recess, but failed to find the time and the support necessary to bring the bill to the floor.
Groups including EFF and Human Rights Watch, which led a campaign to send billions of faxes to the upper chamber in opposition to CISA late last month, considered the stall a major victory in reducing the bill’s momentum.
“Even though the president wants to sign the bill, the Senate must pass CISA first,” the EFF said. “We must continue the pressure on the Senate to stop this bill.”