The Cyber Information Sharing Act (CISA) passed in a 74-21 U.S. Senate vote last week. Critics of CISA say the bill will allow the government to collect sensitive personal data unchecked. Civil liberty, privacy groups,leading technology companies and (via Twitter) Edward Snowden have come out against the bill.
The stated intention of CISA is “to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” In short, CISA encourages technology companies to share with the government information about cyber attacks on their networks—as a strategy to fight hacking and cyber crime. Sounds like a noble goal at first blush, but further investigation reveals something decidedly less so.
CISA empowers organizations to monitor and share private citizens’ personal data with government agencies—without the consent of the owner of the data. Given that CISA directly targets technology organizations, the data in question includes that of U.S. citizens.
Your personal data. My personal data. Monitored without a warrant or notification if it is deemed to be a “cyber threat. The challenge is that CISA’s definition of cybersecurity threat is broad; The only noted exclusion is “any action that solely involves a violation of a consumer term of service or licensing agreement.” Even more troubling, CISA incentivizes tech companies to share cyber threat indicators by providing them with legal immunity against antitrust lawsuits.
This is not the first time an information sharing bill has been proposed in an effort to fight cybercrime. CISPA, the Cyber Intelligence Sharing and Protection Act – the precursor to CISA, was passed by the House of Representatives in 2013, but was shelved when President Barack Obama threatened to veto it due to issues with the bill’s privacy protections. President Obama has endorsed CISA and indicates that he will sign the law.
[Cloud Security Alliance Blog]