Photo: Rob Pegoraro/Yahoo Tech
A
bill called the Cybersecurity Information Sharing Act — CISA for short —
has become one of the least popular tech-policy proposals since another
would-be law with a four-letter acronym became a four-letter word in
tech circles.
CISA is no SOPA (the controversial “Stop Online Piracy Act” from
a few years back, which would have empowered copyright holders to order
allegedly infringing sites off the map of the Internet). But many tech
leaders have lined up against CISA as if it were the
spawn of SOPA.
spawn of SOPA.
For instance, Apple condemned CISA in a statement to the Washington Post: “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
Twitter backed away from the bill in a tweet from its public-policy account: “Security+privacy are both priorities for us and therefore we can’t support #CISA as written.”
Not to be left out, NSA whistleblower Edward Snowden has been denouncing the proposal on Twitter as “the zombie #CISA surveillance bill.”
And yet the Senate seems likely to pass its version of CISA (it goes by the bill number S.754) after considering a series of amendments to it Tuesday, and President Obama seems likely to sign it into law. What is it about this bill that has techies so on edge?
Security as a team sport
The
basic point of CISA is to make it easier for companies to share
information about online threats with each other and with government
authorities.
It’s
not a new or crazy idea: Versions of this bill have been coming up for
years. That’s because the history of companies trying to engage hackers
in solo or semi-solo combat is not encouraging.
As the Edison Electric Institute, a trade group of power utilities, said in a recent statement:
“The sharing of information needs to be faster, more actionable, and
more efficient. To support these efforts, companies need more structure
and legal certainty.”
(Security
professionals don’t all buy that logic. “Many organizations do
successfully share data among themselves and with government entities
[e.g. law enforcement] in formal and informal ways,” emailed Johannes
Ullrich, a researcher who runs a clearinghouse of threats called the Internet Storm Center.)
The question is, how do you provide that legal support while also keeping customers’ personal information private?
Supporters
of CISA say it achieves that balance by requiring companies that
volunteer to share threat information with the Department of Homeland
Security to strip out “personal information of or identifying a specific
person not directly related to a cybersecurity threat” before handing
it over.
Opponents
say that phrasing isn’t strong enough and also object to CISA’s
“notwithstanding any other provision of law” grant of immunity to
corporations that share threat info.
4-letter bill, 3-letter agency
What
really sets off CISA foes, however, is the bill’s requirement that
threat reports be “shared in an automated manner with all of the
appropriate Federal entities.”
That list of seven entities includes the Office of the Director of National Intelligence — which, in turn, means the National Security Agency. Yes, Snowden’s favorite three-letter agency, the one his disclosures revealed had been conducting widespread domestic surveillance.
Summed up Greg Nojeim, senior counsel with the Center for Democracy and Technology: “CISA permits companies to share information directly with the NSA, notwithstanding any law.”
This is where the debate about CISA broadens to a more existential issue: Do you trust the government?
It’s one on which there is no obvious left/right split: Sen. Ron Wyden, D.-Ore., doesn’t like this bill and neither does his Republican/libertarian colleague from Kentucky, GOP presidential candidate Rand Paul.
Conversely, not all of Big Tech hates the bill. Earlier in October, IBM said
CISA would “affirmatively advance the cause of privacy” because it
would help defend against hacking attempts that often end in the massive
disclosure of personal information.
How do you solve CISA?
Tuesday’s
votes on a series of proposed CISA amendments may ease the concerns of
CISA skeptics or leave them angrier about the bill.
Nojeim, for instance, said he wants to see the Senate pass Wyden’s amendment requiring more thorough scrubbing of personal data before any sharing of threats; it would limit the damage this bill could do.
But
Mozilla public-policy head Chris Riley said none of the possible
amendments would fix CISA “enough that we feel the bill is worth
passing.” The Electronic Frontier Foundation came to the same conclusion
weeks ago, condemning CISA for its “vague definitions, broad legal immunity, and new spying powers.”
If CISA does pass, I can promise that two things won’t change.
One is that far longer-running tech privacy and security problems will remain unsolved, thanks to congressional inaction. The Computer Fraud and Abuse Act’s
wide-open definitions will continue to threaten legitimate security
research, and the Electronic Communications Privacy Act will offer pathetically little protection of messages stored online.
The other is that companies and government offices will continue to expose your data —
not because they didn’t communicate with competitors or the government,
but because they didn’t listen to warnings from their own employees
about insecure systems. As a look at some of Congress’s other work ought
to remind anybody, you can’t outlaw stupidity.