A controversial cybersecurity bill that drew heavy criticism from privacy advocates may have been put on the backburner last week, but some observers fear that the issue may return later in the year.
The Cybersecurity Information Sharing Act (CISA) failed a procedural vote in the Senate, 40 to 56, despite bipartisan support and a heavy push by Republican leaders. It encourages organizations to monitor their networks and share “cyberthreat indicators” — which could include users’ personal data — with the intelligence community.
Sen. Mitch McConnell (R-Ky.) had tried adding CISA as an amendment to the 2016 National Defense Authorization Act (NDAA), which President Obama has vowed to veto over an unrelated budget issue that deals with Afghanistan funding. That move angered many Democrats, including some CISA supporters. Democratic leaders called it “a pure political ploy that does nothing to advance America’s national security.”
But despite its defeat last week McConnell can bring CISA up for a vote again soon, though observers say that likely won’t happen until the fall.
"McConnell can place it on the calendar at any time for another vote, since it's passed out of the Intelligence Committee," said Mark Jaycox of the Electronic Frontier Foundation. "Some people have said that it won't be back until after summer recess. Practically, it's whenever McConnell thinks he has the vote or thinks he has the votes for the bill plus any amendments."
The debate came two weeks after Congress voted to limit the National Security Agency’s ability to hold data on Americans and one week after the Office of Personnel Management announced a massive data breach that CISA’s supporters say underscores the urgency of passing cybersecurity legislation.
“The American people deserve the privacy protections included in this legislation,” Sen. Richard Burr (R-N.C.) said in a statement. “Those entrusted with personal information, from banks to telecommunications companies, know those protections are included and offered their support in an effort to combat the threats against this country.”
Advocates for the legislation said it was necessary in the wake of major data breaches at Sony, Anthem Health Care and a host of other companies. However, critics say it places more personal information in government hands and raises profound concerns over privacy.
The CISA wouldn’t require organizations to give information on cybersecurity threats directly to the federal government. Instead, it would set up a common system for information sharing and grant immunity from privacy laws when organizations make available information that includes their users’ personal data.
For many privacy advocates, the CISA would be a serious blow. According to Jaycox, it could open the door to retributive hacking by government and private companies, allow service providers to perform surveillance on their users and place more personal data on Americans in government hands.
“The bills grant essentially near blanket immunity for companies to monitor information systems, which includes software or computers, as well as immunity for sharing any information … The bill skirts current privacy law and grants blanket immunity to current privacy law as well as current hacking laws,” he said.
There are some safeguards in the bill aimed at easing activists’ concerns. Organizations would have to scrub threat information of personal data before handing it over to the Department of Homeland Security, which will automatically pass it on to the Department of Defense, the Department of Justice and the intelligence community. Those agencies would have to scrub the information a second time before sharing it with others, including state, local or tribal law enforcement.
However, the federal government and law enforcement would be free to use the data for purposes that go far beyond cybersecurity — including counterterrorism, trade secret protection and certain criminal investigations, all without a warrant.
That’s just one measure that has privacy advocates concerned. They warn that the bill is written in a way that could pull in a lot of personal data while scrubbing very little. Another provision could give organizations legal authority to hack back, or launch retaliatory cyberattacks that might cause collateral damage. And any cyberthreat information shared with the government will automatically go to the NSA — even after Congress voted two weeks ago to limit the agency's collection of Americans’ phone records.
Taken together, those measures could amount to a new backdoor for government surveillance, according to some experts. The revelation earlier this month that the NSA monitors Americans’ Internet traffic in its hunt for foreign cybersecurity threats has only heightened those fears, according to Jennifer Granick of Stanford University’s Center for Internet and Society.
“Especially after the recent reports about how NSA is using vulnerability information to spy on the domestic Internet, this is not a time to be throwing privacy law away and be handing over greater surveillance powers and greater surveillance opportunities to the government,” she said.
“The United States federal government has not proved itself to be a friend or a competent player in the cybersecurity world, period.”