In a late-night session of Congress this week, Speaker of the House Paul Ryan (R-WI) announced an omnibus spending bill needed to prevent a government shutdown. However, buried in the 2,000 page document is the full text of the controversial Cybersecurity Information Sharing Act of 2015, which passed the Senate in October.
CISA has been widely criticized since it was first proposed in 2014. Senator Ron Wyden (D-OR) has called it "a surveillance bill by another name."
While the bill makes it easier for private sector companies to share user information with the government and other companies, it also removes privacy and liability protections in the name of better cybersecurity.
Critics like Wyden, along with other privacy advocates and many major tech companies, say removing those protections would turn Internet backbone companies into de facto surveillance organs. These companies would have no reason or incentive to preserve user privacy.
The omnibus version of the bill is even more invasive than previous versions. It removes the prohibition on information-sharing with the NSA, which means that information can be shared directly with the NSA (and US Department of Defense) without having to first go through the Department of Homeland Security, according to a report on TechDirt.
The report also notes that the new version removes the restrictions on using information for surveillance activities, gets rid of the limitations that required the government to use only information for cybersecurity purposes, and ditches the requirement to scrub personal information unrelated to a cybersecurity threat before sharing that information.
The Electronic Frontier Foundation issued a statement on the cybersecurity bill added to the Congressional year-end budget package, saying that it is "a combination of three bad cybersecurity bills passed by Congress this year: two pieces of legislation in the House," and CISA.
The EFF added:
The bills are also opposed by other privacy advocates, civil society organizations, computer security experts, and many Silicon Valley companies as the bills ignore the fact that companies and security experts can already share the much-needed technical information to stop computer security threats. Maybe more importantly, the bills do not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
In short, the EFF says that CISA will do nothing to ameliorate the true causes of cyberattacks, and that it merely serves as a way for the government to monitor the activities of users.
The House Intelligence Community has said that the claims being made against CISA are inaccurate. While surveillance is not directly listed as a use of the bill, the information gathered through CISA can be used to investigate a variety of crimes, such as "a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or a use of a weapon of mass destruction."
**Elite 100 2016: DEADLINE EXTENDED TO JAN. 18, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 18, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio