‘No customer oversight’: Dreaded cybersecurity bill CISA is back
The Cybersecurity Information Sharing Act of 2015, also known as CISA, is as polarizing as it is close to a vote. It finally hit the Senate floor for debate on Tuesday, with top sponsor Senator Richard Burr (R-North Carolina) highlighting its necessity because “actors around the world continue to attack US systems, and in many cases penetrate it.”
Under the bill, private companies would have increased liability protection with respect to collecting American’s personal data that could potentially be related to security threats. It would also make it easier for them to share such data with the government, including departments like the National Security Agency.
Prominent CISA opponent and privacy advocate, Senator Ron Wyden (D-Oregon), challenged Burr, who chairs the Select Committee on Intelligence, on one argument in particular.
“He said that the most important feature of the legislation is that it’s voluntary. The fact is, it is voluntary for companies. It will be mandatory for their customers,” Wyden said, “and the fact is the companies can participate without the knowledge and consent of their customers, and they are immune from customer oversight and lawsuits if they do so.”
In many cases, customers have been able to nudge companies from a pro to a con position on CISA. In one instance last month, the Business Software Alliance (BSA) sent a letter to legislators, in part calling for “cyber threat information sharing legislation” granting them immunity so that they could “more easily share that information voluntarily.” However, after Fight for the Future, an internet freedom advocacy group, set up YouBetrayedUs.org to criticize the organizations, the BSA changed its tune.
The BSA, which includes Apple, IBM, and Microsoft, now opposes CISA, as does the Computer and Communications Industry Association, which includes Google, Facebook, and Amazon. Reddit, Wikimedia, Twitter, and Yelp have also released anti-CISA statements.
“Leading security experts argue that CISA actually won’t do much, if anything, to prevent future large-scale data breaches such as the federal government has already suffered, but many worry it could make things worse, by creating incentives for private companies and the government to widely share huge amounts of Americans’ personally identifiable information that will itself then be vulnerable to sophisticated hacking attacks,” added the American Library Association in a press release.
The discussion on CISA comes after a stall in the Senate’s schedule before its August recess. Lawmakers agreed to delay a vote on the bill when it became clear that senators had many amendments to submit, some of which included so-called “riders,” or unrelated issues, such as Senator Rand Paul’s (R-Kentucky) amendments to audit the Federal Reserve and defund “sanctuary cities.” At least 22 amendments will be given a chance to be added to CISA before a final passage vote.
Burr optimistically told The Hill that “a couple of days” was all that was needed to get to a final vote on CISA. He may have overshot, however, because there could be a scrimmage over amendments despite his efforts. Burr, with support of other Senate leaders, has managed to combine eight amendments into a legislative package he shares with CISA co-sponsor Senator Dianne Feinstein (D-California), but the grouping includes only one of Wyden’s two amendments.
Wyden told reporters that the one he feels “most strongly about” hadn’t been included. It would have provided a review system for deleting private info before data gets passed on to the government. The Wyden amendment that was included in the bill only requires that people be notified when their data is inappropriately shared.
Although no vote has been scheduled yet, Senate Majority Leader Mitch McConnell (R-Kentucky) is trying to end debate by Thursday. Beyond CISA, the Senate has an ambitious to-do list. It will decide whether to extend government spending beyond September 30, address the Iran nuclear deal, and fund highways and transportation systems in a comprehensive bill.