As recently reported, Senate Intelligence Committee “markup” and approval of the privacy-hostile Cybersecurity Information Sharing Act of 2014 (CISA), S. 2588, was delayed until after Congress’ brief July 4 recess . . . but not for long. Again meeting in secret, the Committee approved a somewhat modified (but insufficiently improved) version of the bill on July 10.
Like three other similar bills introduced in the past four years, CISA is intended to head off and remediate hacking and other threats to communications and government electronic networks by authorizing private communications companies to share evidence of those “cybersecurity threats” with multiple arms of the federal government. To enable and encourage such reporting, however, it also effectively immunizes those companies against any legal action that might be brought against them by individual customers whose private information is disclosed without their permission.
So what’s wrong with preventing and blunting cyber-attacks? Nothing, except that CISA and its predecessors foster that laudable objective in the most overbroad way possible without building in important, entirely reasonable and wholly achievable safeguards for Americans’ privacy. As ALA’s coalition partners at the Open Technology Institute of the New America Foundation and Electronic Frontier Foundation have pointed out in new analyses of the bill, as passed by the Senate Intelligence Committee, CISA:
- compels military involvement in previously civilian cybersecurity programs by requiring that cyberthreat information be instantly shared with the Department of Defense, NSA and Director of National Intelligence;
- so broadly defines key terms like “cybersecurity purpose” and “cybersecurity threat” as to maximize threats to individual privacy rather than minimize them;
- disturbingly authorizes the use of “countermeasures” against perceived threat sources;
- makes no effort to effectively limit the amount of consumers’ personally identifiable information swept up in companies’ threat reports;
- permits companies to monitor their customers accounts and activities to a much greater extent than current law permits; and
- gives companies that share information virtually blanket immunity for any harm caused their customer as a result of unjustified or excessive sharing, or of “countermeasures” taken against them improperly or erroneously.
With CISA now reportedly supported not just by the intelligence community but by powerful interests in the banking, securities and other industries, ALA and its coalition partners are concerned that it could be among the few bills that the Senate actually takes up in the waning days of the current (pre-August break) legislative session and the current Congress, which is likely to adjourn not long after Labor Day until after the November 2014 mid-term elections. Accordingly, we and our partners yesterday delivered a letter to President Obama calling on him to publicly indicate that he will veto CISA, or any similarly overbroad and dangerously imbalanced “cybersecurity” legislation that fails to much more fully protect all of our personal privacy. The President issued such a statement in 2012 regarding similar legislation.
ALA and its partners will also continue, of course, to fight CISA in the Senate and it’s entirely likely that we’ll need your help. Sign up now to learn what you can do when the call comes.