Skip Navigation

A Surveillance Bill in CyberSecurity Clothing

The Senate may soon consider a so-called “cybersecurity” bill that undermines Americans’ privacy while weakening internet security.

  • Brennan Center for Justice
July 28, 2015

Almost every day, Amer­ic­ans learn about how some major insti­tu­tion has been hacked. The privacy of millions has been comprom­ised. Now the Senate is poised to consider a bill that purportedly will enhance protec­tion, the Cyber­se­cur­ity Inform­a­tion Shar­ing Act (“CISA”). Don’t let the name fool you. CISA is a surveil­lance bill masquer­ad­ing as cyber­se­cur­ity reform.

First, CISA sets vague criteria for private compan­ies to determ­ine when a “cyber threat” exists. Compan­ies can share user inform­a­tion with any federal agency when they believe there is a threat. Federal agen­cies, in turn, must imme­di­ately share all cyber threat inform­a­tion with the National Secur­ity Agency (“NSA”). Because this shar­ing occurs instant­an­eously, there is no attempt even to remove consumers’ sens­it­ive, person­ally iden­ti­fi­able inform­a­tion. The law also expli­citly super­sedes exist­ing privacy laws that limit the govern­ment’s collec­tion of citizens’ data, some of which were past responses to earlier govern­mental abuses.

In addi­tion, when compan­ies share inform­a­tion with the Depart­ment of Home­land Secur­ity (DHS), they receive protec­tion from legal liab­il­ity. This means that indi­vidu­als whose inform­a­tion is revealed have no abil­ity to chal­lenge the data collec­tion and distri­bu­tion. Moreover, federal agen­cies and law enforce­ment are not limited to using the inform­a­tion for cyber­se­cur­ity and national secur­ity purposes. Instead, they may use the data for any purpose, includ­ing ordin­ary crim­inal prosec­u­tions, thereby bypassing both legal and consti­tu­tional protec­tions.

Finally, CISA gives private compan­ies the abil­ity to engage in defens­ive tactics called “coun­ter­meas­ures” to combat cyber­se­cur­ity threats. Under the proposal, compan­ies have essen­tially free rein to under­take these aggress­ive maneuvers as long as they are tech­nic­ally confined to their own systems and do not “inten­tion­ally” destroy other entit­ies’ systems. They may, however, still have signi­fic­ant effects on other networks, further under­min­ing cyber­se­cur­ity. 

For instance, cyber attack­ers often hide behind inno­cent bystand­ers, mask­ing their true iden­tity. CISA would allow a company that has been hacked to hack the attacker back. If the hacker is posing as an entity on a differ­ent network — for instance, a hospital or an emer­gency respon­der — the private company could damage the inno­cent network. Normally, this beha­vior would be against the law, but CISA amends current law to allow for these defens­ive oper­a­tions. Because the defens­ive attacks would exploit system vulner­ab­il­it­ies and create new ones, CISA makes the Inter­net infra­struc­ture less secure, not more.

If the govern­ment truly wanted to increase cyber­se­cur­ity, it could start by mandat­ing that federal agen­cies prac­tice expert-recom­men­ded cyber hygiene. Even basic meas­ures that cyber­se­cur­ity experts consider neces­sary are not discussed in CISA. For example, most experts recom­mend Inter­net users update soft­ware regu­larly, a piece of advice that is usually disreg­arded. Users can encrypt data, which makes it less valu­able to hack­ers. They can also set strong pass­words and use multi-factor authen­tic­a­tion systems for sens­it­ive data, which requires addi­tional steps to access the data. These strategies, which slow hack­ers down and make hack­ing targets less attract­ive, could prevent 80 to 90 percent of cyber attacks. In fact, such meas­ures could have preven­ted the breach at the Office of Person­nel Manage­ment (OPM) and several other attacks.

CISA threatens personal liberty and makes the Inter­net less secure. The law encour­ages private entit­ies to share vast troves of consumer data with federal agen­cies with no net gain for cyber­se­cur­ity. Instead, consumer data will be more vulner­able to attack, partic­u­larly since there is no guar­an­tee that the federal govern­ment will be a better custodian of consumer data than OPM was with employee data. The Senate should recog­nize CISA for what it is: a surveil­lance and privacy-killing bill in cyber­se­cur­ity cloth­ing.  

Char­lotte Lunday is a law student at The Univer­sity of Wash­ing­ton School of Law

(Photo: Think­stock)