Last Tuesday, the United States Senate passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 74-21. The bill, if signed into law by President Obama, will allow companies to share cybersecurity data with the Department of Homeland Security, which could then pass it on to other branches like the NSA and FBI. This is meant to be a measure that would strengthen our nation's tenuous grasp on cybersecurity, but there's a chance it just might have the opposite effect.
Advocates for the bill argue that CISA will increase connectivity between the government and private companies. This would mean if one company were to be hacked, they would be able to give their data to the Department of Homeland Security, who would feed the info to agencies such as the FBI and NSA. They would then analyze the cause of the hack and then issue an alert to every other company who had opted into this information-sharing program. As a CNN article from last week put it, "Every cyberattack is like a flu virus, and CISA is intended to be a lightning-fast distribution system for the flu vaccine. Opt in, and you get a government shot in minutes, not months."
The flipside of the program is that by promising quick fixes for network security flaws, the government is providing companies with an incentive to share data with them.
"Instead of a bill that encourages a company to improve their privacy network and take customer data more seriously, this does the opposite," Evan Grier of the internet privacy advocate Fight for the Future told me over the phone last week.
The full text of CISA as passed by the Senate includes a provision that requires companies to scrub whatever they hand over to the government of personal information, and also demands that private citizens be notified if their personal info gets inadvertently shared with the government. On the other hand, CISA is worded so that it would also allow the federal government to identify, acquire, and possess data from the information systems of private entities who had opted into the program whenever the government felt a threat was evident. This could hypothetically mean that the government could take your personal information by peering into another company's data system without telling you they were doing it.
It's confusing and contradictory provisions such as these in CISA's text that have people worried. Senator Rand Paul recently introduced a petition to stop CISA, calling it a "so-called 'Cybersecurity' bill... packed with vague definitions that grant aggressive new spying powers that gut privacy laws and allow Internet providers and websites to hand over personal data to ANY agency in the federal government."
Elissa Shevinsky, CEO of the cybersecurity firm Jekudo Privacy Company, explained this sentiment in a recent op-ed, pointing out that the bill was originally put forth by the Senate Intelligence Committee. She wrote, "Intelligence gathering is more helpful for prosecuting crimes than it is for securing our technical infrastructures (our servers, our networks, our computers, our communication systems, etc.)."
These are many of the same concerns initially raised by the Cyber Intelligence Sharing and Protection Act (known as CISPA), a similar bill introduced by Republicans in the House of Representatives in 2013, which was shot down after widespread objection from the internet and an eventual condemnation from the White House. The difference is that CISA was formally endorsed by Barack Obama back in August.
Gier told me he felt that CISA was "literally the same thing" as CISPA and claimed if Obama fails to veto CISA, "he's clearly just been posturing on things like net neutrality."
The primary difference between CISA and CISPA is the context in which the bills were introduced. Over the past year we've seen high-profile cyberattacks leading to massive data leaks from the likes of Sony, Ashley Madison, and the Office of Personnel Management. The pervasiveness of large-scale hacks has created a pressing public desire to keep our internet safe and an expectation for our government to address the issue.
"By and large these senators don't know what information-sharing is versus what digital hygiene is, or what security researchers and analysts do to actually protect networks," said Robyn Greene of the Open Technology Institute in a phone interview last week. "It's unbelievable to me that we're going down this path of increasing information-sharing as this quick fix instead of figuring out how to empower people who are actually experts in this."
Greene also expressed concern that connecting private companies to each other through a government hub could actually make us more prone to hacks. "The government is not a great steward of data," said Greene, pointing to the June Office of Personnel Management cyberattack that exposed the personal information of over 21 million people.
"Your data is not only going to be living on a server of the companies you give it to," Greene predicted. "It's going to be living on all sorts of networks across the government and other companies, and there's no requirement that it be given extra protection."
CISA has not yet been signed into law—it still has to pass through the House of Representatives before going across President Obama's desk. But, given that the House passed a near-identical cybersecurity bill this spring, it seems unlikely that the bill will see any significant changes before it gets to Obama.
Follow Luke on Twitter.