The Cybersecurity Information Sharing Act (CISA)

By December 4, 2015 Blog No Comments

This post was originally published on the Jackson School of International Studies International Policy Institute Website on October 30, 2015.

On October 27, 2015, the Cybersecurity Information Sharing Act (CISA) passed in the Senate with a vote of 74-21. The CISA is an effort to promote information sharing across agencies of government and private actors in order to improve cybersecurity. The CISA would accomplish this sharing by creating a way for federal government agencies, in particular the Department of Homeland Security, to receive information about cybersecurity threats from the private sector. The CISA would protect companies by granting them legal immunity in relation to the sharing. For instance, companies would be protected from Freedom of Information Act requests about shared data and would be protected from any lawsuits as long as they follow government guidelines. 

The major debate about the CISA is the debate that has characterized every similar bill: where the lines should be drawn between security and privacy. An inherent tension between security and privacy exists in every realm of public security and safety. This tension has increased exponentially as digital technology and personal devices have granted governments surveillance abilities far beyond anything possible in the past.

The bill is considered to be the relative of the Cyber Intelligence Sharing and Protection Act (CISPA), which was passed in the House but was defeated in the Senate in 2013.

Four major takeaways about the Cybersecurity Information Sharing Act

One: It is likely to pass

The Cybersecurity Information Sharing Act has just passed in the Senate and will likely pass in the House. The Obama Administration has stated that it supports the Act. That means that it will probably succeed where similar bills have failed.

Two: There are four serious criticisms of the Act

The debate around the bill focuses on concerns that: (1) the definitions in the bill are overly broad and will allow companies and the government to sweep up more information about individuals than actually relates to any threat; (2) the protections for private companies in the CISA are far too generous, as they grant widespread legal immunity from lawsuits related to the CISA; (3) the chances are high that information about “normal” non-criminal people will be gathered in investigations and handed over to government agencies; and, (4) the bill is outdated and will not do anything to address present day cybersecurity challenges.

Three: Nearly every major technology company opposes the CISA in its current form

Those opposed to the bill include nearly every major technology company as represented by the lobbying group the Computer & Communications Industry Association (e.g., Google, Microsoft, and Facebook) along with many civil society groups concerned with privacy and civil liberties (e.g., the ACLU and the Electronic Frontier Foundation). Interestingly, there seems to be a divide between the companies that support it—many of whom are major data holders, such as health insurance companies or financial corporations—and the companies that are against it—the technology companies that could ultimately be responsible for dealing with cybersecurity breaches.

Four: In the past, similar bills have been defeated through grassroots mobilization and bipartisan resistance

In the past, grassroots mobilization has defeated other bills with similar privacy issues. The mobilizations have been generated by civil society groups from both the right and the left, reporting on the issue by online news sources such as Wired.com, mobilization in online communities, and bipartisan efforts.

The debate

Critics of the CISA are concerned about four major elements of the bill. First, critics are concerned that the definitions included in the bill are overly broad. The inclusive definitions of “cyber threat indicator” and “cybersecurity threat” give the government and private companies a large amount of leeway in how they define cybersecurity threats. The bill will allow large-scale data gathering to occur followed by widespread data sharing among federal agencies. The concern is that these broad parameters are a threat to user privacy as well as civil liberties.

Second, critics are concerned that the protections for companies are overly vast. Based on the bill, companies would be protected from any Freedom of Information Act requests for information about what they had shared. They are also protected from any lawsuits that result from the sharing the data, as long as they followed government regulations in sharing it. Critics are concerned because companies now have access to data about nearly every aspect of their users—making the combination of potential type of information shared, inability for citizens to find out what happened, and corporate immunity a powerful mix. This is particularly important in light of the fact that “normal” user data could be gathered with other data and shared with personal indicators attached, even when the “normal” users were not engaging in any nefarious activities.

Third, critics are concerned about the surveillance permission granted to U.S. security agencies, in general, beyond the purpose of the bill. The bill states that within 90 days of it passing, the Department of Homeland Security will be required to come up with procedures that protect privacy and civil liberties—including the “receipt, retention, use, and dissemination of cyber threat indicators.” However, this leaves a key element of the bill unarticulated until after it passes and trust in U.S. institutions around such issues is limited. The Snowden information has illuminated the types of information about everyday people that the government has been harvesting, probably illegally.

Fourth, critics are concerned that the bill will not do anything to address present day cybersecurity challenges. David Sanger and Nicole Perlroth wrote that the bill is, “like the insistence of some cavalry officers in the 1930s on sticking to horses, rather than investing in mechanized divisions.” Critics point out that CISA would not have done anything to stop recent major cyberattacks, such as the Sony picture attack alleged to be from North Korea or the Chinese hack that accessed millions of Office of Personnel Management records.

Who supports the CISA?

A range of actors supports the bill: many Republicans, many Democrats, the Obama Administration, the Department of Homeland Security, and some major companies.

The bill was put forward as a bipartisan effort. In the Senate vote, it received 74 votes in favor from both sides of the aisle. It received 21 votes against—also reflecting the cross-partisan nature of this issue, with 14 Democrats, six Republicans, and one Independent voting against it.

Fifty-one organizations, such as the U.S. Chamber of Commerce, sent a letter to the Senate expressing their support for the bill, which can be read here. Major companies, such as Anthem, Blue Cross Blue Shield Association, JPMorgan Chase, Morgan Stanley, AT&T, Verizon Communications Inc., and Boeing and Lockheed Martin Corporation, have also expressed support.

The Obama Administration has said it supports the bill, although, the Administration expressed concern about any amendments that did not keep the Department of Homeland Security the central portal for information. In addition, the Department of Homeland Security’s Secretary Jeh Johnson also expressed his support for the bill.

Considering the success of the earlier Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives, as well as the fact that the House Republicans, who have largely voted in favor of this type of bill, control the House, it is likely that CISA will fare well in the House when it comes up for a vote.

Who opposes the CISA?

Some government officials are opposed to the bill, but most opposition comes from non-governmental actors, including most major technology companies and most civil society organizations concerned with privacy rights or rights related to technology.

The Computer & Communications Industry Association—a lobbying group that represents many major technology companies such as eBay, Facebook, Google, Microsoft, Sprint Nextel, and Yahoo—has spoken out against the CISA. Other companies have spoken out against it directly, such as Apple, DropBox, Reddit, TwitterYelp, and Wikipedia.

Also, an array of civil society organizations concerned with privacy and civil liberties have spoken against the act. These organizations include the ACLU, the American Libraries Association, Human Rights Watch and a list of security experts who signed a letter to President Obama opposing the bill. In addition, the Electronic Frontier Foundation, Decide the Future, and others have been organizing efforts to fight the bill.

In the past, grassroots mobilization has defeated other bills related to cyber-policy with similar privacy issues. The mobilization has been generated by civil society groups such as the Electronic Frontier Foundation, both from the left and the right; reporting on the issue by online news sources such as Wired.com; and bipartisan efforts.

Leave a Reply