The Department of Homeland Security (DHS), the lead agency tasked with protecting civilian government computer systems, agrees that the Senate's Cybersecurity Information Sharing Act (CISA) is fundamentally flawed. DHS's letter to Senator Al Franken, which voiced many concerns about the bill, joins the chorus of criticisms raised by computer scientists, privacy advocates, and civil society organizations. It's the clearest sign yet that the Senate should kill this bill.
The letter explains why the bill won’t—and can’t—protect users' privacy: CISA simply doesn’t make companies remove unrelated personal information before sending “threat” information to the government.
DHS derides the bill's failure to mandate a privacy scrub of personal data, explaining that DHS will be forced to "contribute to the compromise of personally identifiable information by spreading it further." Companies and the government should be securing our personal information, not sharing it unnecessarily.
The DHS letter also contradicts, yet again, the tired and tiresome claim that the information shared under CISA will be vital to protecting computers. According to DHS, the bill may not help security because its broad definitions may lead to "receiv[ing] large amounts of information with dubious value." CISA’s defenders seem to think that if some information sharing is good more must be better—right? That’s the same bad logic that undergirded the Section 215 call detail records program, and the same bad logic that defined “relevant” as “everything.” The fact is, companies and the government can (and do) already share technical information through ISACs, private communications, public releases, and the DHS's Enhanced Cybersecurity Service.
What we’ve not seen is fact-based explanation of why CISA’s massive increase in information sharing is useful from a marginal or incremental benefit perspective—even if we put privacy and civil liberties concerns to the side. It’s just assumed and incanted.
If CISA’s defenders had to pay attention to facts, they’d have to explain how that increased information sharing would address the recent, highly publicized computer security problems that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links. Frankly, not taking basic precautions seems like a much bigger problem than not knowing enough about threats.
The DHS letter agrees with many of the points we highlighted in last week's Week of Action opposing CISA. It notes that the bill's grant of new spying powers and broad legal immunity could "sweep away important privacy protections, particularly the provisions in the Stored Communications Act." If that sounds familiar, it should: when CISA was first released we warned:
Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act would be precluded or at least sharply restricted.
DHS also criticized the bill's vague definitions, especially "the expansive definitions of cyber threat indicators and defensive measures in the bill." We agree. And it's only one of the many reasons CISA should die. Unintended consequences result when Congress passes poorly drafted bills. The Senate should finally put this zombie bill to rest.
The Week of Action saw users send over 6 million faxes to Senators demanding they oppose CISA. Congress has heard from voters, computer security experts, civil society organizations, privacy advocates, and companies opposing CISA. Maybe the Senate will listen to the agency overseeing the current cybersecurity information sharing regime.
We're urging Senators to vote against CISA. It's a flawed bill suffering from serious problems.
CISA will be up for a vote today. Join us in telling your Senators to oppose CISA.