The Cybersecurity Information Sharing Act, the most important and sweeping cybersecurity bill ever considered by Congress, was introduced on the Senate floor Tuesday and will move forward, with a vote expected sometime later this week.
We posted a brief rundown of CISA here (and have covered the bill in depth over the course of the last year), but essentially it encourages private companies to share "cyber threat" information with the federal government. The information can be passed to local and federal law enforcement, and can be funneled to the National Security Administration "in real time," according to the bill's language. Companies that participate would have liability protections, meaning that if they pass information to the government they aren't supposed to, you cannot sue them.
"Let's end this process in a matter of days"
"Sharing information about cybersecurity threats is clearly a worthy goal and I would like to find ways to encourage more of that responsibly," Oregon Sen. Ron Wyden, one of the few outspoken critics of the bill, said on the Senate floor Tuesday. "Yet if you share more information without strong privacy protections, millions of Americans will say 'That is not a cybersecurity bill, it is a surveillance bill.'"
North Carolina Sen. Richard Burr, who is sponsoring the bill, spent much of his allotted time listing off high-profile hacks from the past year. Burr and his cosponsor, Dianne Feinstein, say that CISA could help prevent hacks; Wyden countered, saying that by creating new repositories of information, the US government would create new hacking targets.
Independent security experts tend to side with Wyden. Robert Graham of Errata Security tweeted that CISA would have a "tiny benefit at best."
"CISA is a nightmare dressed as a daydream. A surveillance bill masquerading as a cybersecurity bill"
"I can find no cybersecurity experts (who aren't tied to government) who support CISA," he tweeted. "Certainly the benefits of CISA are far less than the harm of invading people's privacy and contributing to a cyber police state."
The Senate is moving forward with the bill nonetheless. Toward the end of Tuesday, the full chamber began to consider a slew of proposed amendments to the bill. Burr said he's waited long enough for a vote on CISA, which is similar to the Cybersecurity Information Sharing and Protection Act (CISPA) bills that have circulated around Congress without a vote in the Senate for the last four years.
"Let's end this process in a matter of days," Burr said.
Privacy organizations, who have mounted the fiercest opposition to the bill over the past few months, had the strongest words about the bill. Nathan White, senior legislative manager at Access, a digital human rights group, told me "CISA is a backdoor to surveillance."
"CISA is a nightmare dressed as a daydream. A surveillance bill masquerading as a cybersecurity bill," he said. "CISA is fundamentally flawed because of its broad immunity clauses for companies, vague definitions, and aggressive spying powers. If the Senate is serious about protecting against cyber threats, we don't need more spying, we need better security."