CISA passed out of the Senate by a disappointing vote of 74-21 last week. The bill has already passed out of the House, and now it goes to a conference committee to work out any differences between the House and Senate version, back to both houses for an up or down vote without any amendments, and then to the President’s desk. Unlike previous years, we haven’t heard any veto threats for CISA, so it’s clear some version of the fundamentally flawed bill will become law.
We’re not happy about the vote, but we also think it's important to point out where we did win (at least for now): the final Senate bill did not include Senator Sheldon Whitehouse’s dangerous Computer Fraud and Abuse Act (CFAA) amendment. Now we’ll be working to make sure it stays that way.
Senator Whitehouse’s amendment was in the list of amendments that the Senate agreed to consider in October. Fortunately, Senator Ron Wyden made it clear on the floor of the Senate on October 20th that he would object to moving the bill forward if this amendment were included because it would “significantly expand a badly outdated CFAA.”
The amendment was ultimately not included in the language the Senate voted to advance, a fact Senator Whitehouse was very upset about: he publicly blamed a “hidden pro-botnet, pro-foreign cyber criminal caucus” for persuading the “masters of the universe” to remove this amendment.
The emails from our supporters opposing this amendment made a difference. Unfortunately, we doubt that Whitehouse’s language is dead. It could very well come up during conference, especially since Senator Tom Carper said: “we will conference, I’m sure, with the House and we will have an opportunity to revisit this, so I just hope you’ll stay in touch with those of us who might be fortunate enough to be a conferee.” As Marcy Wheeler points out, “as Ranking Member of the Senate Homeland Security Committee [,he] would almost certainly be included in any conference on the bill.
What’s wrong with CISA
[T]this bill will do little to make Americans safer but will potentially reduce the personal privacy of millions of Americans in a very substantial way.
We couldn’t agree more with Senator Wyden’s analysis of the problems with CISA.
While we will push for changes in conference, nothing can fix the fact that CISA’s raison d’etre—giving the government more information—is not going to improve our security. It doesn't address the real cybersecurity problems that caused major computer data breaches like Target and the U.S. Office of Personnel Management (OPM). And that fundamental flaw is on top of the fact that CISA has vague definitions of key terms, creates aggressive new spying authorities for the government, and would make it much harder to sue companies that share your personal information for cybersecurity purposes.
Many of the companies that would supposedly benefit from CISA opposed the bill. Industry trade groups the Computer and Communications Industry Association and the Business Software Alliance came out against CISA in the last month leading up to the CISA vote. They were joined by Salesforce, Twitter, reddit, Yelp, and Apple. And security giant Symantec also "refuse[d] to support the bill," because it would have allowed “cyber threat indicators” to be used for purposes other than cybersecurity.
In other words, CISA sacrifices privacy for an illusion of better security, as Senator Wyden pointed out.
Why Senator Whitehouse’s Computer Fraud and Abuse Act amendment is so dangerous
The Computer Fraud and Abuse Act, the federal anti-hacking law, has draconian penalties for poorly defined crimes. As a consequence, overzealous prosecutors can abuse the law by bringing criminal charges that are politically motivated,and pushing for harsh sentencing. The prosecution of activist Jeremy Hammond is a good example: he was charged with violating the CFAA after he allegedly hacked into the systems of private intelligence contractor Stratfor and leaked material that exposed surveillance on political protesters at the behest of both private companies and the government. He's now spending ten years in jail.
Senator Whitehouse’s amendment would have made the CFAA even easier to abuse. Its language created new CFAA crimes while lessening judicial oversight for sentencing of those crimes, all while lowering the standard for prosecuting some CFAA crimes. It also expanded trafficking prohibitions in a way that would threaten security research.
CFAA needs to be fixed, not worsened.
With the impending discussions about the budget, CISA may not be considered for several weeks. We’ll be keeping an eye out. And when it goes to conference, we’ll make it easy for you to let the conferees from the House and Senate know that these dangerous changes to the CFAA must not be included in the final legislation.