Nearly everyone dislikes CISA, so Congress will make it law

Congress is in a hurry to pass the information-sharing bill even as opposition continues to mount among tech companies, security experts, and privacy advocates

Nearly everyone dislikes CISA, so Congress will make it law

After spending months mired in the Senate, the latest incarnation of the Cybersecurity Information Sharing Act (CISA) advanced to the floor this week and could face a vote as early as next week. The move to pass the CISPA rehash -- which the Obama administration has indicated it will sign -- comes despite mounting opposition from technology companies, security experts, and privacy advocates.

Although CISA is branded a cyber security bill, it does nothing to actually improve the effectiveness of security systems. It's concerned instead with increasing the amount of information that corporations share with government and protecting those companies from liability for violating customers' privacy.

As InfoWorld's David Linthicum has said, CISA "does not do what it claims (protect us from cyber attacks) but instead makes it easier for the government to spy on us electronically." Wired magazine gave the bill "An F for Security But an A+ for Spying." 

In recent days, companies have been piling on to voice their opposition to the bill. Fight for the Future's Corporate Scorecard shows Google, Microsoft, Apple, Twitter, Yahoo, Amazon, and Dropbox among the 23 tech companies wanting to stop CISA. In addition, the Business Software Alliance and the Computer & Communications Industry Association oppose the bill's passage.

Security experts have spoken out against its weak privacy protections, overly broad monitoring, and allowance of defensive measures that could undermine cyber security. Even the Department of Homeland Security has said CISA is terrible, warning in a letter to Sen. Al Franken that it could harm privacy and increase "complexity and difficulty" in responding to cyber security threats.

"Our lawmakers' lack of understanding of cyber security isn't just embarrassing, it's dangerous. They should listen to the experts and abandon this hopelessly flawed bill," said Fight for the Future co-founder Tiffiniy Cheng.

InfoWorld's Bill Snyder wrote this week that Microsoft is at the forefront of tech companies' movement to protect users' privacy. And while "it's easy to be cynical and argue that Microsoft and other tech giants now lobbying for privacy have come to Jesus because the Edward Snowden revelations have made foreign customers wary of doing business with U.S. companies," the fact remains that Silicon Valley firms are standing strong on privacy.

But Congress seemingly will not be denied in its determination to pass an information sharing bill. The Cyber Intelligence Sharing and Protection Act (CISPA) was introduced in 2011 but failed to pass the Senate. Reintroduced in 2013, it was beaten back a second time. Last year any mention of "protection" was stripped out, but the rechristened CISA still languished -- only to be introduced again this year.

Now, in a move to speed the bill's passage, Senate leaders have attached eight of the 22 proposed amendments to CISA. An amendment from Sen. Ron Wyden, a leading voice for Internet privacy, did not make it into the package and faces an uphill battle. It would require that any personal information be removed before the data is passed to the government.

"We've always been told this is about threats, this is about threats to our country, our institutions," Wyden said. "Why do you need people's personal information?"

An amendment to narrow the definition of a "cyber threat indicator" -- used by companies in deciding which data to pass to federal agencies -- was also left out.

Another amendment that -- fortunately -- failed to make the package was one from Sen. Sheldon Whitehouse. As InfoWorld's Fahmida Rashid wrote recently, the amendment "would make sweeping changes to the CFAA. Instead of helping harden computer systems or protect people from malicious actors, the new provisions would give prosecutors 'more power to threaten more people with more prison time.'"

Sen. Dianne Feinstein defended her bill this week, saying provisions have been made to restrict the data that companies can share with the government, eliminate some of the more controversial government uses of the data, and set up "a fast, real-time filter" at the DHS to scrub personal information before data is shared government-wide.

Feinstein found it "hard for me to understand" why companies headquartered in her own state, such as Apple and Twitter, aren't supporting the bill.

The senator keeps pushing forward a bill that major tech companies, security experts, the DHS, and digital rights advocates have all called seriously flawed, and she thinks they're the ones who don't understand?

Earlier this year the Electronic Frontier Foundation said, "Congress is stuck in 1984. It doesn't seem to understand modern technology. So we're going to communicate with it in a way it'll understand: With faxes." The faxbigbrother campaign resulted in 6.1 million faxes opposing CISA. Now it turns out hundreds of thousands were "lost or deleted [by the Office of the Sergeant at Arms], without ever reaching the offices of the senators."

The Senate seems determined not to listen, and many observers believe CISA won't likely be blocked this go around.

"I don't ever make predictions," Wyden told reporters. "[But] I know what it's like to be up against very entrenched interests."

Copyright © 2015 IDG Communications, Inc.