June 26, 2014
The last time the Senate considered cybersecurity information-sharing legislation was in July 2012, when it took up the Cybersecurity Act of 2012 (S. 3414). That bill would have ensured civilian control of the government’s domestic cybersecurity mission, required the private sector to make reasonable efforts to remove all personally identifiable information (PII) before sharing information with the government, and authorized the government to use the information only to investigate or prosecute cybersecurity crimes or to prevent serious violence, or harm to minors.
In the intervening time, we have learned of the NSA’s far-reaching and abusive intelligence and cyber operations, including its phone and Internet surveillance programs, its undermining and cracking encryption standards, its development of powerful malware and hacking tools, and its stockpiling of vulnerabilities in widely used software.
Now, Senator Feinstein, Chairman of the Senate Intelligence Committee, has released a draft of the Cybersecurity Information Sharing Act of 2014 (CISA). That new bill not only represents a major step back on privacy compared to the 2012 bill, but also wholly ignores the serious concerns that the last year’s disclosures have raised about the NSA’s activities and its role in America’s domestic cybersecurity information sharing operations, and doesn’t even attempt to address the serious questions that NSA’s other cyber operations raise for Internet security.
If passed, CISA would authorize de facto information sharing with the NSA and other non-civilian federal entities. It does not require that sharing entities make reasonable efforts to remove all PII before engaging in sharing, potentially exposing vast amounts of personal information to the government. It authorizes private entities to engage in an array of countermeasures that could inadvertently harm average Internet users, and it absolves companies of all liability for harms that result from their negligent or improper sharing of information.
Our significant concerns with the bill and recommended changes can be found in our analysis. Additionally, we have signed onto two coalition letters raising these concerns, both of which were sent to the Hill this afternoon (available here and here). Those letters were originally drafted in anticipation of an Intelligence Committee meeting to mark-up the bill that was scheduled for today. Thankfully, however, the Committee has now delayed the bill’s consideration until after the July 4th holiday. We’re glad the Committee is no longer rushing to approve a bill draft that was only released last week, especially when it contains so many serious privacy problems—and fails to grapple with some of the most pressing cybersecurity issues that have been revealed in the past year.
Particularly considering the revelations of the last year, any new cybersecurity legislation should be more protective of privacy than the Senate’s 2012 bill, not less--and under no circumstance should it allow domestic cyber threat information to flow indiscriminately to the NSA. Rather, the Senate should act on the knowledge we’ve gained based on the Snowden revelations and legislate rules of the cyber-road for the NSA—by restricting the NSA’s stockpiling of software vulnerabilities and prohibiting the NSA from undermining encryption standards or undermining the security of the Internet and the health of the American technology industry by inserting surveillance backdoors into computer hardware and software.
The Snowden leaks didn’t just transform the surveillance debate but the cybersecurity debate as well. Rather than pretending that the landscape hasn’t changed, the Senate should take heed of last week’s historic votes in the House to repudiate the NSA’s backdoors into our data and its undermining of essential security standards. The Senate will not be able to effectively address cybersecurity until it recognizes, as the House has, that one of the most significant cyber-threats we face today is our own NSA.