Lawmakers in the U.S. Senate just passed CISA (the “Cybersecurity Information Sharing Act”) on Tuesday, October 27. If the White House does not veto it, CISA will allow tech companies to share internet traffic information with the government without fear of liability for the disclosure of private or sensitive data. Not only would the law potentially allow companies to violate their own privacy statements with users, but also it would allow them to hide the fact that they are sharing information with the government.
So what is CISA, where did it come from, and why does it matter? This is not the first time that lawmakers have brought this type of information-sharing scheme before Congress. Back in 2011, lawmakers introduced CISPA (the “Cyber Intelligence Sharing and Protection Act”) in an attempt to help prevent cyber attacks. The basic premise behind the bill was that quickly sharing information about threats and vulnerabilities could help prevent attacks. The House of Representatives passed CISPA, but it failed in the Senate, due to a lack of confidentiality and civil liberties safeguards. The White House even proclaimed that it would veto the bill should it be passed. CISPA was reintroduced by the House in 2013, where it again failed to pass the Senate.
A year later, in 2014, the Senate introduced CISA, a nearly identical law to CISPA. However, for some reason (perhaps because its name no longer included the words “intelligence” or “protection”), CISA received only a fraction of the pushback that was levied at its predecessor. Still, the Senate failed to reach the bill with a full Senate vote before the 2014 congressional session came to a close.
Cyberattacks have grown increasingly more frequent in recent years. Just look at our nation’s most recent cyberattack, which exposed an estimated 18 million current, former and prospective federal employees’ personal data. In light of the increasing attacks, many in Congress feel that it is time they “did something” on cybersecurity—even if it means passing a bill that no one seems to like. This sentiment is well articulated by U.S. Sen. Chuck Schumer, who said in July, “I’d like to see the bill [CISA] strengthened a little bit, but I’d take it right now because we’ve done nothing on cyber for a long time.”
So in early 2015, the bill was once again introduced in the Senate. Attempts to attach the bill as an amendment to the National Defense Authorization Act were rejected in June, and the Senate once again failed to get the bill onto the floor for a vote before the summer recess in August. But fast-forward to now—late October—and the Senate has passed the proposed law with an overwhelming 74-21 bipartisan vote. If we are to learn anything from CISA it should be that, apparently, you can achieve just about anything with undying persistence.
As broadly explained by Senator Dianne Feinstein, one of the bill’s most ardent supporters, CISA “allows companies to share information for cybersecurity purposes.” However, even the sponsors of the law have conceded that the bill would have done nothing to prevent the recent cyberattacks on Sony Pictures Entertainment or the Federal Office of Personnel Management. Furthermore, the bill raises many concerns for privacy advocates, and it has even received harsh criticism from large tech companies. As Apple recently told the Washington Post, “[t]he trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
Most concerns with the bill stem from its broad language. Under such language, many argue that companies and the Government could share vast quantities of private data with each other—data such as emails, text messages, or other communications—with nearly complete immunity from liability. Furthermore, the public would be unaware of what companies were participating under CISA or what type of information was being transmitted because the data-sharing scheme created by the bill would be exempt from the Freedom of Information Act. A prevalent viewpoint of those against the bill was summarized by Nathaniel Turner, a lobbyist assistant for the ACLU, stating: “At its core, CISA is more about surveillance than it is about cybersecurity.” What effects CISA truly will have on our privacy or security remains to be seen.