Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

CISA – A Very Unpopular Act Will Probably Pass

October 27, 2015

At least, that's where the betting money is according to a story from InfoWorld. The latest version of the Cybersecurity Information Sharing Act (CISA) advanced to the Senate floor last week and could face a vote as early as this week. The move to pass the revised CISA bill, which the Obama administration has indicated it will sign, comes despite mounting opposition from technology companies, security experts, and privacy advocates.

Although CISA is promoted as a cybersecurity bill, it does nothing to actually improve the effectiveness of security systems. It's concerned instead with increasing the amount of information that corporations share with government and protecting those companies from liability for violating customers' privacy. Skeptics (me included) believe it makes it much easier for the U.S. government to spy on its own companies. Humorously or sadly, Wired magazine gave the bill "An F for Security But an A+ for Spying." Great recommendation, huh?

Google, Microsoft, Apple, Twitter, Yahoo, Amazon, and Dropbox are among the 23 tech companies fighting to stop CISA. In addition, the Business Software Alliance and the Computer & Communications Industry Association oppose the bill's passage.

Security experts have spoken against its weak privacy protections, overly broad monitoring, and allowance of defensive measures that could undermine cybersecurity. Even the Department of Homeland Security has said CISA is terrible, warning in a letter to Sen. Al Franken that it could harm privacy and increase "complexity and difficulty" in responding to cybersecurity threats.

But Congress seems determined to pass it. In a move to speed the bill's passage, Senate leaders have attached eight of the 22 proposed amendments to CISA. An amendment from Sen. Ron Wyden did not make it into the package and faces an uphill battle. It would require that any personal information be removed before the data is passed to the government. "We've always been told this is about threats, this is about threats to our country, our institutions," Wyden said. "Why do you need people's personal information?" A very good question.

An amendment to narrow the definition of a "cyber threat indicator" — used by companies in deciding which data to pass to federal agencies — was also left out.

Sen. Dianne Feinstein defended her bill saying provisions have been made to restrict the data that companies can share with the government, eliminate some of the more controversial government uses of the data, and set up "a fast, real-time filter" at the DHS to scrub personal information before data is shared government-wide. Yes, once again, it's "trust me, I'm from the government."

More comedy for you: Earlier this year the Electronic Frontier Foundation said, "Congress is stuck in 1984. It doesn't seem to understand modern technology. So we're going to communicate with it in a way it'll understand: With faxes." The faxbigbrother campaign resulted in 6.1 million faxes opposing CISA. Now it turns out hundreds of thousands were "lost or deleted [by the Office of the Sergeant at Arms], without ever reaching the offices of the senators." I'm not sure the government is even up to the year 1984.

A really bad bill stands a really good chance of becoming law. Appalling.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson