Cyber Security Legislation
Every year a host of cybersecurity bills are introduced in Congress. In 2014, the Cyber Intelligence Sharing and Protection Act (CISPA) was introduced in the US House, and the Cybersecurity Information Sharing Act (CISA) was introduced in the Senate. Both bills are privacy invasive bills that grant companies broad legal immunity to share more information with the government and private companies. Click here to read our FAQ on CISPA 2.0.
These bills often purport to allow companies and the federal government to “share” threat information for a “cybersecurity” purpose—to protect and defend against attacks against computer systems and networks. But the bills are written broadly enough to permit your communications service providers to identify, obtain, and share your emails and text messages with the government. While business leaders have conceded that they do not need to share personally identifying information to combat computer threats, the bill provides an exception to existing law designed to protect your personal information.
The newly granted powers are intended to thwart computer security threats against a company's rights and property. But the definitions are broad and vague. The terms allow purposes such as guarding against “improper” information modification and ensuring “timely” access to information, functions that are not necessarily tied to attacks.
Once handed over, the government is able to use this information for investigating crimes that are unrelated to the underlying security threat.
The bills' vague definitions like "cybersecurity threat" and "cybersecurity system" also raise the frightening possibility of a company using aggressive countermeasures. In CISPA, if a company wants to combat a threat, it is empowered to use “cybersecurity systems” to identify and obtain “cyber threat information.” But CISPA does not define exactly how far a company can go, leaving it open to the possibility of abuse.
Companies would also be immune from both civil and criminal liability for any action, including but not limited to violating a user’s privacy, as long as the company used the powers granted by CISPA in "good faith." The immunity even extends to "decisions made based on" any information “directly pertaining” to a security threat. The consequences of such a clause are far-reaching.
EFF Related Content: Cyber Security Legislation
- "CISA is fundamentally flawed," Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, stated in a blog post on Oct. 22 . "The bill's broad immunity clauses, vague definitions, and aggressive spying powers combine to make the bill a surveillance bill in disguise."
- Update: The Senate advanced CISA 85-14. You can see how your Senator voted here . Amendments to CISA will be voted on Monday. After a final vote early next week in the Senate, CISA will move to a conference committee where House and Senate leaders will resolve differences between...
- The Electronic Frontier Foundation, another prominent digital rights organization, is also actively campaigning for companies to oppose the legislation. Legislative analyst Mark Jaycox told The Hill he expects to see more companies publicly opposing CISA in the coming weeks. Privacy advocates have expressed limited support for a handful of amendments,...
- As if “national security” weren’t enough, now Congress is trying to use “cybersecurity” as an excuse to chip away at our right to privacy—and it’s riding on the coattails of incidents like the Experian and OPM breaches. Once again for continuity, it bears repeating that the Cybersecurity Information Sharing Act...