EFF has joined 26 civil society organizations and 22 computer security experts in a letter that calls on the Senate Select Committee on Intelligence to reject the Cybersecurity Information Sharing Act of 2015 (CISA).
CISA, currently only available in draft form, is yet another iteration of the infamous Cyber Intelligence Sharing and Protection Act (CISPA), first introduced in 2011. These pieces of legislation have all been introduced under the auspices of increased computer and network security. But instead of providing increased funding for security research, providing funding for security training for federal government employees, or any of the other ways computer and network security could be made better, they have focused on information sharing, without addressing the privacy and civil liberties implications that entails.
CISA is no different. It would grant companies more power to obtain “cyber threat indicators" and to disclose that data to the government without a warrant—hence its reputation as a “cyber-surveillance” bill. In fact, as the letter points out, CISA “requires real time dissemination to military and intelligence agencies, including the NSA.” In other words, cyberthreats shared with any agency would be automatically shared with the NSA.
Under CISA, all of this would happen without real privacy protections for Internet users. As the letter emphasizes:
CISA does not effectively require private entities to strip out information that identifies a specific person prior to sharing cyber threat indicators with the government, a fundamental and important privacy protection.
But CISA allows the shared information to be used for purposes that have nothing to do with cybersecurity, including “a wide range of crimes involving any level of physical force, including those that involve no threat of death or significant bodily harm,” compounding the potential negative privacy impact.
CISA would also authorize companies to launch countermeasures against potentially innocent users—without requiring that companies are responsible for any harm they cause to innocent users:
countermeasures must be “operated on” one’s own information systems, but may have off-networks effects – including harmful effects to external systems – so long as the countermeasures do not “intentionally” destroy other entities’ systems. . . CISA permits companies to recklessly deploy countermeasures that damage networks belonging to innocent bystanders, such as a hospital or emergency responders that attackers use as proxies to hide behind, so long as the deploying company does notintend that the countermeasure result in harm.
To compound this provision, like its previous iterations, CISA contains overbroad immunity from lawsuits for corporations that share information or deploy countermeasures—effectively ensuring that they have little incentive to minimize these activities.
You can read the full text of the letter and see the signatories here. The SSCI is expected to mark up CISA soon. And while we’re hopeful that it will be defeated, CISA’s past iterations have faced several veto threats from President Obama, a petition with over 800,000 signatures, and a widespread online campaign dubbed "Stop Cyber Spying Week." That means we need your voice to defeat this version, too. Take action today: tell your Senator to oppose reintroduction of a bill that invades the privacy and civil liberties of everyday Internet users while failing to truly make the Internet safer.Infosec Island