Almost every day, Americans learn about how some major institution has been hacked. The privacy of millions has been compromised. Now the Senate is poised to consider a bill that purportedly will enhance protection, the Cybersecurity Information Sharing Act (“CISA”). Don’t let the name fool you. CISA is a surveillance bill masquerading as cybersecurity reform.
First, CISA sets vague criteria for private companies to determine when a “cyber threat” exists. Companies can share user information with any federal agency when they believe there is a threat. Federal agencies, in turn, must immediately share all cyber threat information with the National Security Agency (“NSA”). Because this sharing occurs instantaneously, there is no attempt even to remove consumers’ sensitive, personally identifiable information. The law also explicitly supersedes existing privacy laws that limit the government’s collection of citizens’ data, some of which were past responses to earlier governmental abuses.
In addition, when companies share information with the Department of Homeland Security (DHS), they receive protection from legal liability. This means that individuals whose information is revealed have no ability to challenge the data collection and distribution. Moreover, federal agencies and law enforcement are not limited to using the information for cybersecurity and national security purposes. Instead, they may use the data for any purpose, including ordinary criminal prosecutions, thereby bypassing both legal and constitutional protections.
Finally, CISA gives private companies the ability to engage in defensive tactics called “countermeasures” to combat cybersecurity threats. Under the proposal, companies have essentially free rein to undertake these aggressive maneuvers as long as they are technically confined to their own systems and do not “intentionally” destroy other entities’ systems. They may, however, still have significant effects on other networks, further undermining cybersecurity.
For instance, cyber attackers often hide behind innocent bystanders, masking their true identity. CISA would allow a company that has been hacked to hack the attacker back. If the hacker is posing as an entity on a different network — for instance, a hospital or an emergency responder — the private company could damage the innocent network. Normally, this behavior would be against the law, but CISA amends current law to allow for these defensive operations. Because the defensive attacks would exploit system vulnerabilities and create new ones, CISA makes the Internet infrastructure less secure, not more.
If the government truly wanted to increase cybersecurity, it could start by mandating that federal agencies practice expert-recommended cyber hygiene. Even basic measures that cybersecurity experts consider necessary are not discussed in CISA. For example, most experts recommend Internet users update software regularly, a piece of advice that is usually disregarded. Users can encrypt data, which makes it less valuable to hackers. They can also set strong passwords and use multi-factor authentication systems for sensitive data, which requires additional steps to access the data. These strategies, which slow hackers down and make hacking targets less attractive, could prevent 80 to 90 percent of cyber attacks. In fact, such measures could have prevented the breach at the Office of Personnel Management (OPM) and several other attacks.
CISA threatens personal liberty and makes the Internet less secure. The law encourages private entities to share vast troves of consumer data with federal agencies with no net gain for cybersecurity. Instead, consumer data will be more vulnerable to attack, particularly since there is no guarantee that the federal government will be a better custodian of consumer data than OPM was with employee data. The Senate should recognize CISA for what it is: a surveillance and privacy-killing bill in cybersecurity clothing.
Charlotte Lunday is a law student at The University of Washington School of Law