Senate passes controversial cybersecurity bill Cisa 74 to 21
Senate passes controversial cybersecurity bill Cisa 74 to
21
Senate votes in favor of bill critics including Edward
Snowden say will allow the government to collect sensitive personal data
unchecked
By Sam Thielman
Tuesday 27 October 2015 17.29 EDT Last modified on
Tuesday 27 October 2015 22.31 EDT
The US Senate overwhelmingly passed a controversial
cybersecurity bill critics say will allow the government to collect sensitive
personal data unchecked, over the objections of civil liberties groups and many
of the biggest names in the tech sector.
The vote on Tuesday was 74 to 21 in support of the
legislation. Democratic presidential contender Bernie Sanders voted against the
bill. None of the Republican presidential candidates (except Lindsey Graham,
who voted in favor) were present to cast a vote, including Rand Paul, who has
made privacy from surveillance a major plank of his campaign platform.
Ahead of the vote a group of university professors
specializing in tech law, many from the Princeton Center for Information
Technology Policy, sent an open letter to the Senate, urging them not to pass
the bill. The bill, they wrote, would fatally undermine the Freedom of
Information Act (Foia).
Led by Princeton’s David S Levine, the group joined a
chorus of critics including many of the largest technology companies, notably
Apple, and National Security Agency (NSA) whistleblower Edward Snowden in
calling for Cisa to be scrapped.
Snowden, via Twitter, said that “a vote for Cisa is a
vote against the internet.”
Cisa would “allow ‘voluntary’ sharing of heretofore
private information with the government, allowing secret and ad hoc privacy
intrusions in place of meaningful consideration of the privacy concerns of all
Americans,” the professors wrote.
“The Freedom of Information Act would be neutralized,
while a cornucopia of federal agencies could have access to the public’s
heretofore private-held information with little fear that such sharing would
ever be known to those whose information was shared.”
Despite protestations that Cisa was not a surveillance
bill, co-sponsors Richard Burr and Dianne Feinstein discouraged their
colleagues from voting for amendments to mitigate what senators called
unreasonable invasions of privacy, including one notifying citizens that their
data was being examined. Amendments from Ron Wyden, Al Franken, Patrick Leahy,
Dean Heller and Chris Coons all failed, though Wyden’s failed by a very narrow
vote.
The American Banking Association and the
Telecommunications Industry Association (TIA) applauded the passage of the bill.
“The legislation passed by the Senate today bolsters our cyber defenses by
providing the liability protections needed to encourage the voluntary sharing
of cyber threat information,” the TIA said in a statement. “We applaud the
Senate for moving this important bill and urge Congressional leaders to act
quickly to send this bill to the president’s desk.”
Cisa was negotiated and marked up in secret. Corporate
lobbying group The US Chamber of Commerce has been the only consistent champion
of the legislation outside the halls of the Senate; the editorial boards of the
Wall Street Journal and the Washington Post both published opinions in favor of
the bill today.
The data in question would come from private industry,
which mines everything from credit card statements to prescription drug
purchase records to target advertising and tweak product lines. Indeed, much of
it is detailed financial and health information the government has never had
access to in any form. The bill’s proponents said the data would be
“anonymized”.
Cisa would create a program at the Department of Homeland
Security (DHS) through which corporations could share user data in bulk with
several US government agencies. In exchange for participating, the companies
would receive complete immunity from Freedom of Information Act requests and
regulatory action relating to the data they share. DHS would then share the
information throughout the government
Among the bill’s opponents are industry groups
representing a broad swath of tech companies, several of which have come out
individually against the bill in addition to statements from industry trade
groups.
Apple didn’t mince words in its opposition to the
proposed law: “We don’t support the current CISA proposal,” the company said in
an unattributed statement last week. “The trust of our customers means
everything to us and we don’t believe security should come at the expense of
their privacy.” Others – Wikimedia, Reddit, Salesforce, DropBox – issued
similar statements.
Quietly, though, many major tech sector players are
staying on the sidelines. After accusations that the company had been
informally calling senators to say they wouldn’t oppose the bill, Facebook said
it had not lobbied in Cisa’s favor, but that it did not have a public stance on
it. Microsoft and Google, too, have been notable by their silence, though trade
associations representing them have publicly objected to the bill.
Facebook has its own threat-sharing program; others
within the industry do, too. The program created by Cisa wouldn’t be of much
use to them – private industry is widely acknowledged to be further down this
road than the government – but regulatory and Foia immunity could come in
handy.
The bill must next pass the House of Representatives, a
procedure that will likely be much quicker and smoother than the opposition it
faced in the Senate from Oregon senator Ron Wyden, among others. Then it must
be negotiated by the House and the Senate and then likely passed in a package
with two others.
Atypically, security researchers have come out against
Cisa, as well, saying it would do little to improve surveillance and would
instead spread user information broadly across a threadbare patchwork of
government IT systems. Mending that patchwork and others like it in private
industry, said researcher Brian Krebs on his blog, Krebs on Security, is a much
surer way to improve security.
“While many business leaders fail to appreciate the value
and criticality of all their IT assets, I guarantee you today’s cybercrooks
know all too well how much these assets are worth,” wrote Krebs. “And this
yawning gap in awareness and understanding is evident by the sheer number of
breaches announced each week.”
That gap is always going to be worse in the government
than in the private sector, information sharing or not, said Jasper Graham,
formerly a technical director the NSA.
Even if you mandate something proven to impede data
thieves, like public-key infrastructure (PKI) encryption, you’ll hit a wall.
“If you say, ‘Everyone now must use PKI!’ you get one small department saying,
‘Actually, we can’t do that,’ and that’s a nightmare.” Graham said. “Regular
organizations aren’t really tied to what Donald Trump says tonight in the same
way. The government has to do a better job than it’s currently doing, and the
best way to do that is to get bipartisan funding.”
Robyn Greene of the New America Foundation characterized
the legislation as a “do-something” bill. “The Sony hack really changed the
conversation,” Greene said. “You can see that in the way the administration
approached cybersecurity – they stopped saying ‘This is is something that has
to get done right’ and started saying ‘This is something that has to get done
now.’”
Comments
Post a Comment