Lawmakers worked for days on an agreement about which amendments to include on the cyber bill, but Senate leaders pulled the plug at the last minute on a vote scheduled first for 10:30 a.m, then for 2 p.m. Then they decided to skip town.
Under the deal senators struck Wednesday afternoon, the cyber bill will come up again in September after recess, and 21 Democratic and Republican amendments will receive votes.
The bill—put forward by the top members of the Senate Intelligence Committee, Sens. Richard Burr and Dianne Feinstein—would offer incentives to the private sector to share information about cyberthreats with the government.
Supporters, including senators from both parties and many in the private sector, say the information sharing legislation would make for stronger cyberdefenses against hackers. But privacy advocates in and out of the Senate have raised flags about the bill’s treatment of Americans’ sensitive information, saying it will violate personal privacy, and security experts have questioned the bill’s effectiveness.
The fight is not yet over but this is absolutely a step in the right direction. There remains a lot of work to ensure Congress does not pass pointless legislation, especially when CISA is essentially a completely unnecessary surveillance bill.
“The Internet is clearly pissed off that Congress is trying to pass off a blatant surveillance bill as ‘cybersecurity,’” Tiffiniy Cheng, co-founder and co-director of Fight for the Future, said in a Thursday blog post.
Fight for the Future is one of the digital privacy advocates behind the “Operation: #FaxBigBrother” campaign launched earlier this week to oppose the Cybersecurity Information Sharing Act (CISA) — a Senate bill drafted to legally allow companies to share data about cyberattacks and hacker intrusions launched against them with federal intelligence, law enforcement and defense agencies.
The Electronic Frontier Foundation, Access and others joined with Fight for the Future to lobby against the bill in Congress, which the groups said was “stuck in 1984″ — hence the fax machines as the chosen format for protest.
According to Senate Intelligence Committee Chairman Richard Burr and Ranking Democratic Sen. Dianne Feinstein — the bill’s chief sponsors — CISA will help the government and Silicon Valley work together to prevent the type of cyberattacks that have recently plagued government agencies including the Office of Personnel Management, health insurance companies like Anthem, private corporations such as Sony and Target and bank giant JPMorgan.
CISA is an out and out surveillance bill masquerading as a cybersecurity bill. It won’t stop hackers. Instead, it essentially legalizes all forms of government and corporate spying.
Here’s how it works. Companies would be given new authority to monitor their users — on their own systems as well as those of any other entity — and then, in order to get immunity from virtually all existing surveillance laws, they would be encouraged to share vaguely defined “cyber threat indicators” with the government. This could be anything from email content, to passwords, IP addresses, or personal information associated with an account. The language of the bill is written to encourage companies to share liberally and include as many personal details as possible.
That information could then be used to further exploit a loophole in surveillance laws that gives the government legal authority for their holy grail — “upstream” collection of domestic data directly from the cables and switches that make up the Internet.
Thanks to Edwards Snowden, we know that the NSA, FBI, and CIA have already been conducting this type of upstream surveillance on suspected hackers. CISA would give the government tons of new domestic cyber threat indicators to use for their upstream collection of information that passes over the Internet. This means they will be gathering not just data on the alleged threat, but also all of the sensitive data that may have been hacked as part of the threat. So if someone hacks all of Gmail, the hacker doesn’t just get those emails, so does the U.S. government.
CISA will be of little help in preventing data breaches and information theft from occurring. For one, the real-time sharing of information that CISA calls for would result in an overwhelming amount of information. The Department of Homeland Security would be receiving a huge volume of data, most of which contains no presence of a cyber-threat. Actual threats would be drowned out by false alarms, making it harder to catch an attack.
At the same time experts agree that information sharing is not the way to prevent massive data breaches. The numbers show that good cyber hygiene would prevent most attacks. According to the Verizon Data Breach Investigations Report, 90% of all incidents are caused by human error and 99.9% of attacks exploit vulnerabilities that have been public for over a year. Updating computer systems, securing end points, and raising awareness on cyber safety are all simple steps that would greatly reduce data breaches. The JP Morgan data breach occurred because a server was left unattended. The Home Depot hack exploited a vulnerability that the company had already been made aware of. The OPM breach occurred because the hackers obtained the log-in credentials of an OPM contractor.
Now it appears that Congress may be ready to help the NSA get the information they need to finally crank up their cybersecurity surveillance system. The Senate this week is expected to take up a bill, the Cyber Information Sharing Act (CISA), that would incentivize companies to liberally share “cyber threat indicators” with the Department of Homeland Security by granting them legal immunity from any surveillance laws when they do so.
The companies would be allowed to leave their users’ personal details in the information they give to the government unless they affirmatively know that it is not directly related to a threat, and the DHS would be required to share all of the information with the NSA and other federal agencies.
But that’s just the beginning of how CISA would massively violate privacy.
Any information shared with the government under CISA could be used to turn on the NSA’s latent cybersecurity surveillance powers. As revealed by the Snowden documents, cyber threat indicators can be used by the NSA as selectors to target the warrantless interception and collection of information from the Internet backbone. These selectors — things like email address, IP addresses, ranges of IP addresses, phone numbers, or strings of computer code — are used as filters to select and extract data from Internet traffic.
Importantly, any “incidental” data that is picked up along the way that is not directly related to the threat, including any and all personal data that is hacked or targeted as part of the cyber threat, can be indefinitely retained by the NSA. This could be a massive amount of data if a threat involves a company like Google, Bank of America, or AT&T.