CommunityFDL Main Blog

CISA Isn’t About Cybersecurity, It’s About Surveillance

Part 2: Bruce Schneier on the Hidden Battles to Collect Your Data and Control Your World

Yesterday, in secret session, the Senate intelligence committee advanced the CISA bill…

Bipartisan group of senators vote 14 to 1 on Cybersecurity Information Sharing Act as lone dissenter calls measure ‘a surveillance bill by another name’

The Senate intelligence committee advanced a priority bill for the National Security Agency on Thursday afternoon, approving long-stalled cybersecurity legislation that civil libertarians consider the latest pathway for surveillance abuse.

The vote on the Cybersecurity Information Sharing Act, 14 to 1, occurred in a secret session inside the Hart Senate office building. Democrat Ron Wyden was the dissenter, calling the measure “a surveillance bill by another name”.

Senator Richard Burr, the committee chairman, said the bill would create avenues for private-to-private, private-to-government and government-to-private information sharing.

The bill’s bipartisan advocates consider it a prophylactic measure against catastrophic data theft, particularly in light of recent large-scale hacking of Sony, Target, Home Depot and other companies.

Private companies could share customer data “in a voluntary capacity” with the government, Burr said, “so that we bring the full strength of the federal government to identifying and recommending what anybody else in the United States should adopt”.

“The sharing has to be voluntary, not coercive, and it’s got to be protected,” said Senator Dianne Feinstein, the committee’s vice-chair, adding that the information would pass through the Department of Homeland Security – and “transferred in real time to other departments where it’s applicable”.

Feinstein said the bill’s provisions would “only be used for counterterrorism purposes and certain immediate crimes”. {…}

Amidst that backdrop of suspicion, it is uncertain if the new cybersecurity bill can garner the votes in the broader Senate and House that its predecessors could not. The digital-rights group Access on Thursday was already seeking to mobilize its membership to call legislators in objection to the bill.

Wyden declined to comment to reporters, saying as he left the meeting: “you guys know I like talking about this stuff but I can’t say anything.

The lone dissenter, Sen. Wyden, later blasted the bill on his website…

Cybersecurity Bill Lacks Privacy Protections, Doesn’t Secure Networks

“Cyber-attacks and hacking against U.S. companies and networks are a serious problem for the American economy and for our national security. It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.

If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill – it’s a surveillance bill by another name.

“The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security. Strong cybersecurity legislation should make clear that government agencies cannot order U.S. hardware and software companies to build weaker products, as senior FBI officials have proposed.

“I am concerned that the bill the U.S. Senate Select Committee on Intelligence reported today lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on U.S. cybersecurity.”

Today, the ACLU issued a scathing article and call to arms…

They say the first step is admitting you have a problem. But sometimes that’s the easy part.

When it comes to cybersecurity, it seems everyone in Washington admits we have a problem. It’s in the solutions phase where things really start to fall apart for policymakers.

Instead of focusing on ways to make our data (and the devices we store it on) more secure, Washington keeps offering up “cybersecurity” proposals that would poke huge holes in privacy protections and potentially funnel tons of personal information to the government, including the NSA and the military.

Thursday, the Senate Intelligence Committee met behind closed doors to mark up the Cybersecurity Information Sharing Act of 2015. They voted 14–1 to advance the bill, with Senator Wyden offering the lone no vote.

Unfortunately, by all accounts, CISA is one of those privacy-shredding bills in cybersecurity clothing.

If you remember CISPA, the information-sharing bill that fell under the weight of its privacy failings last Congress and even drew a veto threat from President Obama, the problems with CISA might sound a little too familiar. This bill is arguably much worse than CISPA and, despite its name, shouldn’t be seen as anything other than a surveillance bill – think Patriot Act 2.0.

The bill could also pose a particular threat to whistleblowers – who already face, perhaps, the most hostile environment in U.S. history – because it fails to limit what the government can do with the vast amount of data to be shared with it under this proposal. CISA would allow the government to use private information, obtained from companies on a voluntary basis (and so without a warrant) in criminal proceedings – including going after leakers under the Espionage Act.

If you are wondering how giving companies a free pass to share our personal information with the government will make our data more secure, you aren’t alone. We’ve already written about why real cybersecurity doesn’t need to sacrifice our privacy.

The ACLU also recently joined with a broad coalition to remind the committee about some of these problems – problems which have not been adequately addressed in the Senate’s proposal.

The letter reads, in part:

We now know that the National Security Agency (NSA) has secretly collected the personal information of millions of users, and the revelation of the programs has created a strong need to rein in, rather than expand, government surveillance. CISA disregards the fact that information sharing can – and to be truly effective, must – offer both security and robust privacy protections. The legislation fails to achieve these critical objectives by including: automatic NSA access to personal information shared with a governmental entity; inadequate protections prior to sharing; dangerous authorization for countermeasures; and overbroad authorization for law enforcement use.

You can read the full letter, and view the full list of signatories, here.

We must heed the clarion call and contact our critters ASAP…!

Edit:Take action now to tell key members of the U.S. Senate that any bill allowing the sharing of personal information with the NSA is unacceptable.

Let’s light up their switchboards. Call now using the numbers below.

Mark Warner (Virginia): 202-224-2023

Martin Heinrich (New Mexico): 202-224-5521

Angus King (Maine): 202-224-5344

James Lankford (Oklahoma): 202-224-5754

Mazie Hirono (Hawaii): 202-224-6361

Tom Carper (Delaware): 202-224-2441

Previous post

Riveting testimony in the Boston Marathon bombing trial hurts Dzhokhar's chance to avoid death penalty

Next post

Late Night FDL: Easy To Be Hard

CTuttle

CTuttle

8 Comments