The Cybersecurity Information Sharing Act, a new cybersecurity bill that would expand the powers of the NSA, is quickly moving through the Senate and could be voted on within a month. Similar legislation is expected to surface in the House of Representatives as early as later this week.
The basic framework of the bill allows the government and private companies to pass information back and forth freely.
It's good for companies, because it allows them to receive classified information from the government (which it cannot legally share now) in situations where that information could prevent hacking attempts on their systems. It's good for the government, because it allows companies to pass private information about their users in the event of a "cyber threat." No framework exists for this kind of information transfer currently.
And it's bad for you, because the definition of who could be a "cyber threat" is vague and could be easily abused, policy experts say. The information passed to the government will be shared with the NSA, and, in certain cases, will be shared with local and state police.
Besides sharing information, the bill also offers companies "liability protection," meaning that if they pass too much of your information to the government or do not properly anonymize certain types of your data, they cannot be held accountable in court.
This is to incentive companies to share as much information as they can—if Facebook suspects you might be about to commit a crime, it would be allowed to tell the government that you might be a threat. Even if you're not a threat, you can't sue Facebook under the terms of the bill. Though the information sharing is "voluntary," the general thought is that companies that share more customer information with the government are likely to get better help from the NSA if, say, it uncovers a plot to hack its computer systems.
"All of these standards can be used by law enforcement, and they're not clearly defined"
CISA was marked up in a closed session of the Senate Intelligence Committee late last week, which is an important step on the road to eventual passage. The bill's full text, which will be presented to the full Senate, finally surfaced today.
Though the bill's sponsors, Dianne Feinstein (D-Calif.) and Richard Burr (R-North Carolina) say that the bill "addresses privacy concerns" that were evident in earlier drafts of the bill, civil liberties experts say the new amendments don't go nearly far enough.
"The big takeaway here is that this is still piece of legislation that creates a program that would transfer our private information to the government in what could cause potentially massive privacy violations," Drew Mitnick, a policy lawyer at Access, a digital liberties group, told me. "There were some minor changes, but nothing to alter the fact that this bill is still enabling the transfer of large amounts of private information to the NSA."
Access was one of dozens of civil liberties groups that wrote a letter vehemently opposing CISA earlier this month.
In an emailed press release, Feinstein said that that government "may only use voluntarily shared data under this legislation for cybersecurity purposes, to investigate cyber attacks, to address imminent threats to life and imminent terrorist attacks, and to investigate computer-related crimes and serious, violent felonies."
A new addition to the bill, however, defines a cybersecurity threat as anything that can cause "serious economic harm" to a company or government assets, and does not define the term or limit it to "economic harm" through, say, a hacking attempt.
"It's a vague standard, which is part of the problem. All of these standards can be used by law enforcement, and they're not clearly defined," Mitnick said. "Nothing changes the fact that this is a huge cybersecurity program that, on its face, is supposed to be about protecting critical infrastructure but in practice greatly expands the surveillance powers of the NSA."
A slightly different version of CISA made it through the Senate Intelligence Committee last year, but was never voted on by the full Senate. That seems highly unlikely to happen again this year, for a few reasons. The Sony hack of late last year has politicians desperate to pass any sort of cybersecurity overhaul, though it's unclear that a law like CISA would have made any difference in preventing the Sony breach.
Secondly, large parts of the Patriot Act, which empower many of the NSA's mass surveillance programs, are set to expire on June 1, and it's expected that Congress is about to spend a whole lot of time debating how much power the NSA should have. Lawmakers want to get cybersecurity off their plates before the NSA-reform discussion begins in earnest.
"It seems Senate leadership is prioritizing this over other cybersecurity proposals. They want to get this done before there's more awareness of the Patriot Act sunset, because they don't want to mingle the CISA privacy conversation with the Patriot Act one," Mitnick said.
So that's why we could see CISA, and a yet-to-be-announced bill in the House of Representatives rushed through. CISPA, the bill that inspired CISA, was reintroduced in the House earlier this year, but Mitnick said that it looks like the bill is "dead in the water," because the Senate seems more anxious to pass CISA, so the House will likely go with something that looks more like that bill.
"There's going to be a bill, maybe two coming out of the House maybe as early as this week," he said. "It could look like CISPA or what we've seen in the Senate, but whatever it is, it'll have the same issues we've been talking about."