CISA is an out and out surveillance bill masquerading as a cybersecurity bill. It won’t stop hackers. Instead, it essentially legalizes all forms of government and corporate spying.
Here’s how it works. Companies would be given new authority to monitor their users — on their own systems as well as those of any other entity — and then, in order to get immunity from virtually all existing surveillance laws, they would be encouraged to share vaguely defined “cyber threat indicators” with the government. This could be anything from email content, to passwords, IP addresses, or personal information associated with an account. The language of the bill is written to encourage companies to share liberally and include as many personal details as possible.
That information could then be used to further exploit a loophole in surveillance laws that gives the government legal authority for their holy grail — “upstream” collection of domestic data directly from the cables and switches that make up the Internet.
Thanks to Edwards Snowden, we know that the NSA, FBI, and CIA have already been conducting this type of upstream surveillance on suspected hackers. CISA would give the government tons of new domestic cyber threat indicators to use for their upstream collection of information that passes over the Internet. This means they will be gathering not just data on the alleged threat, but also all of the sensitive data that may have been hacked as part of the threat. So if someone hacks all of Gmail, the hacker doesn’t just get those emails, so does the U.S. government.