CISA will mean more surveillance, not fewer cyber attacks

The proposed Cybersecurity Information Sharing Act would make us less secure

privacy eye look
CSO staff

The Senate Intelligence Committee has passed CISA (Cybersecurity Information Sharing Act). If it becomes law, we'll all be worse off. The bill does not do what it claims (protect us from cyber attacks) but instead makes it easier for the government to spy on us electronically.

Those who promote the act claim that it successfully balances security and privacy. But if you read the bill, you see that claim is not true.

Ostensibly, the new amendments were designed to protect Internet users' personal information and to provide new ways for companies and federal agencies to coordinate a defense around cyber attacks. Considering the number of attacks that have made the news recently, this sounds like a good move.

However, the CISA bill has two major issues.

  • Although it's called a cyber security act, nothing in the bill actually increases the quality and effectiveness of security systems.
  • That close coordination and information sharing between the government and corporations could provide a better opportunity for surveillance. Indeed, most legal analysts have pointed out that the changes make it much easier for intelligence agencies to monitor private systems, both on-premises and in the cloud.

Even worse, CISA replaces the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974. These were the first lines of defense that limit government surveillance via eavesdropping. The CISA bill would allow information gathered by private companies to be shared with Homeland Security. Once that happens, it could be shared with the NSA, the Department of Defense, and others.

Unfortunately, there are no security benefits in this act. A much better bill would have defined security policies and mechanisms, including automated coordination, to defend against an attack. But Congress isn't trying to write or pass that better bill.