Remember CISA? The “Cybersecurity Information Sharing Act”? It’s getting much, much worse, with Congress and the administration looking to ram it through — in the process, dropping any pretense that it’s not a surveillance bill.
As you may recall, Congress and the White House have been pushing for a “cybersecurity” bill, for a few years now, that has never actually been a cybersecurity bill. Senator Ron Wyden was one of the only people in Congress willing to stand up and directly say what it was: “it’s a surveillance bill by another name.” And, by now, you should know that when Senator Wyden says that there’s a secret interpretation of a bill that will increase surveillance and is at odds with the public’s understanding of a bill, you should to listen. He’s said so in the past and has been right… multiple times.
Either way, a version of CISA passed the House a while back, with at least some elements of privacy protection included. Then, a few months ago it passed the Senate in a much weaker state. The two different versions need to be reconciled, and it’s been worked on. However, as we noted recently, the intelligence community has basically taken over the process and more or less stripped out what few privacy protections there were.
And the latest is that it’s getting worse. Not only is Congress looking to include it in the end of year omnibus bill — basically a “must pass” bill — to make sure it gets passed, but it’s clearly dropping all pretense that CISA isn’t about surveillance. Here’s what we’re hearing from people involved in the latest negotiations. The latest version of CISA that they’re looking to put into the omnibus:
Removes the prohibition on information being shared with the NSA, allowing it to be shared directly with NSA (and DOD), rather than first having to go through DHS. While DHS isn’t necessarily wonderful, it’s a lot better than NSA. And, of course, if this were truly about cybersecurity, not surveillance, DHS makes a lot more sense than NSA.
Directly removes the restrictions on using this information for “surveillance” activities. You can’t get much more direct than that, right?
Removes limitations that government can only use this information for cybersecurity purposes and allows it to be used to go after any other criminal activity as well. Obviously, this then creates tremendous incentives to push for greater and greater information collection, which clearly will be abused. We’ve just seen how the DEA has regularly abused its powers to collect info. You think agencies like the DEA and others won’t make use of CISA too?
Removes the requirement to “scrub” personal information unrelated to a cybersecurity threat before sharing that information. This was the key point that everyone kept making about why the information should go to DHS first — where DHS would be in charge of this “scrub”. The “scrub” process was a bit exaggerated in the first place, but it was at leastsomething of a privacy protection. However, it appears that the final version being pushed removes the scrub requirement (along with the requirement to go to DHS) and instead leaves the question of scrubbing to the “discretion” of whichever agency gets the information. Guess how that’s going to go?
In short: while before Congress could at least pretend that CISA was about cybersecurity, rather than surveillance, in this mad dash to get it shoved through, they’ve dropped all pretense and have stripped every last privacy protection, expanded the scope of the bill, and made it quite clear that it’s a very broad surveillance bill that can be widely used and abused by all parts of the government.
There is still some hesitation by some as to whether or not this bill belongs in the omnibus bill, or if it should go through the regular process, with a debate and a full vote on this entirely new and different version of CISA. So, now would be a good time to speak out, letting your elected officials and the White House know that (1) CISA should not be in the omnibus and (2) that we don’t need another surveillance bill.
In the meantime, if Congress were actually serious about cybersecurity, they’d be ramping up the acceptance and use of encryption, rather than trying to undermine it.