Photo: Rob Pegoraro/Yahoo Tech
A bill called the Cybersecurity Information Sharing Act — CISA for short — has become one of the least popular tech-policy proposals since another would-be law with a four-letter acronym became a four-letter word in tech circles.
CISA is no SOPA (the controversial “Stop Online Piracy Act” from a few years back, which would have empowered copyright holders to order allegedly infringing sites off the map of the Internet). But many tech leaders have lined up against CISA as if it were the spawn of SOPA.
For instance, Apple condemned CISA in a statement to the Washington Post: “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
Twitter backed away from the bill in a tweet from its public-policy account: “Security+privacy are both priorities for us and therefore we can’t support #CISA as written.”
Not to be left out, NSA whistleblower Edward Snowden has been denouncing the proposal on Twitter as “the zombie #CISA surveillance bill.”
And yet the Senate seems likely to pass its version of CISA (it goes by the bill number S.754) after considering a series of amendments to it Tuesday, and President Obama seems likely to sign it into law. What is it about this bill that has techies so on edge?
Security as a team sport
The basic point of CISA is to make it easier for companies to share information about online threats with each other and with government authorities.
It’s not a new or crazy idea: Versions of this bill have been coming up for years. That’s because the history of companies trying to engage hackers in solo or semi-solo combat is not encouraging.
As the Edison Electric Institute, a trade group of power utilities, said in a recent statement: “The sharing of information needs to be faster, more actionable, and more efficient. To support these efforts, companies need more structure and legal certainty.”
(Security professionals don’t all buy that logic. “Many organizations do successfully share data among themselves and with government entities [e.g. law enforcement] in formal and informal ways,” emailed Johannes Ullrich, a researcher who runs a clearinghouse of threats called the Internet Storm Center.)
The question is, how do you provide that legal support while also keeping customers’ personal information private?
Supporters of CISA say it achieves that balance by requiring companies that volunteer to share threat information with the Department of Homeland Security to strip out “personal information of or identifying a specific person not directly related to a cybersecurity threat” before handing it over.
Opponents say that phrasing isn’t strong enough and also object to CISA’s “notwithstanding any other provision of law” grant of immunity to corporations that share threat info.
4-letter bill, 3-letter agency
What really sets off CISA foes, however, is the bill’s requirement that threat reports be “shared in an automated manner with all of the appropriate Federal entities.”
That list of seven entities includes the Office of the Director of National Intelligence — which, in turn, means the National Security Agency. Yes, Snowden’s favorite three-letter agency, the one his disclosures revealed had been conducting widespread domestic surveillance.
Summed up Greg Nojeim, senior counsel with the Center for Democracy and Technology: “CISA permits companies to share information directly with the NSA, notwithstanding any law.”
This is where the debate about CISA broadens to a more existential issue: Do you trust the government?
It’s one on which there is no obvious left/right split: Sen. Ron Wyden, D.-Ore., doesn’t like this bill and neither does his Republican/libertarian colleague from Kentucky, GOP presidential candidate Rand Paul.
Conversely, not all of Big Tech hates the bill. Earlier in October, IBM said CISA would “affirmatively advance the cause of privacy” because it would help defend against hacking attempts that often end in the massive disclosure of personal information.
How do you solve CISA?
Tuesday’s votes on a series of proposed CISA amendments may ease the concerns of CISA skeptics or leave them angrier about the bill.
Nojeim, for instance, said he wants to see the Senate pass Wyden’s amendment requiring more thorough scrubbing of personal data before any sharing of threats; it would limit the damage this bill could do.
But Mozilla public-policy head Chris Riley said none of the possible amendments would fix CISA “enough that we feel the bill is worth passing.” The Electronic Frontier Foundation came to the same conclusion weeks ago, condemning CISA for its “vague definitions, broad legal immunity, and new spying powers.”
If CISA does pass, I can promise that two things won’t change.
One is that far longer-running tech privacy and security problems will remain unsolved, thanks to congressional inaction. The Computer Fraud and Abuse Act’s wide-open definitions will continue to threaten legitimate security research, and the Electronic Communications Privacy Act will offer pathetically little protection of messages stored online.
The other is that companies and government offices will continue to expose your data — not because they didn’t communicate with competitors or the government, but because they didn’t listen to warnings from their own employees about insecure systems. As a look at some of Congress’s other work ought to remind anybody, you can’t outlaw stupidity.