Soon, the Senate will vote on a cyber-security bill called CISA. It’s a red herring. Senator Wyden of the Intelligence Committee called it a “surveillance bill by another name”. CISA proponents, including Senators Thune and Rounds, wrongly claim that CISA will protect computer networks through increased information sharing between companies and the government. But CISA wouldn’t have stopped any of the recent computer network breaches such as those at Sony or Target.
The government has proven itself unfit to adequately protect the cybertheat and personal information which it will collect with this bill. In the past year alone, we’ve seen computer network breaches at the IRS, State Department, White House, Pentagon, and OPM.
Moreover, the Department of Homeland Security (DHS) already manages cyber-security information sharing programs, so CISA’s stated purpose only duplicates existing programs. And according to the DHS, CISA’s “complexity and inefficiency would markedly increase” compared to existing programs, and it would “sweep away important privacy protections”.
Finally, there are many problems with the language in the bill:
- The definition of what can be shared does not exclude personal information. The separate requirement that companies to strip personal or identifying information (or use an automated process to do so) only applies if the entity knows about the presence of the information “at the time of sharing.” CISA allows vast amounts of personal data to be shared with the government, even that which is not necessary to identify or respond to a cyber-security threat.
- The bill does not require that companies act in good faith and it does not provide a cause of action for companies whose sharing would qualify as willful misconduct.
- The bill also includes an unprecedented modification to the Freedom of Information Act (FOIA) that prohibits the disclosure of information shared under the law, as well as a separate, non-discretionary exemption for information and defensive measures shared and exemptions from all state open government laws.
CISA is the wrong answer to cyber-security. Please encourage Senators Thune and Rounds to vote “NO” on CISA.