The strongly-disliked Cybersecurity Information Sharing Act (CISA) will most probably become law this week - with language “worse” than originally feared.
The legislation was passed by both the House of Representatives and the Senate, but not without first receiving a significant makeover. The amendments removed most of CISA’s privacy protections. Moreover, the Act was combined into a much larger omnibus bill that Obama is very unlikely to veto.
Legislative analyst Mark Jaycox proffered that, “It looks like a done deal. It’s what we’ve been saying about CISA from the start - this has been couched as a security bill but it’s not.”
Under the original terms of the CISA legislation, companies were to share their customers’ information with federal government departments once it was anonymized. At that point, the government could analyze the data for online threats, while the data-providing companies received legal immunity from prosecution for breaking privacy agreements.
But the proposed bill was amended and the privacy portions were stripped away. As it currently reads, companies do not have to anonymize users’ data before turning it over to the feds. Moreover, the government can use the data for surveillance and for other non-cybercrime activities. Furthermore, even if companies identify security failures, they do not have to report said failures.
Democrat Senator Ron Wyden opined that, “This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today. Americans deserve policies that protect both their security and their liberty. This bill fails on both counts. Cybersecurity experts say CISA will do little to prevent major hacks and privacy advocates know that this bill lacks real, meaningful privacy protections.”
The chance to challenge the new changes to CISA before it becomes law is also quite limited since the bill was folded into an omnibus bill that has too much riding on it for Obama to veto.
Jaycox points out that all hope is not lost and there is still work to be done.
He pointed out that, “We need to work on the further education of Congress; this isn’t the be-all and end-all security bill – there will be others. CISA also has to be implemented by departments, notably the Department of Homeland Security, and we’ll be watching how this is done.”
Traditionally, the most effective way to overcome “bad” laws is to challenge them in the courts. But that approach may not work in the case of CISA. Specifically, the legislation’s language provides that all data handed over to the feds is immune from Freedom of Information Act (FOIA) requests. This provision will make it very difficult for individuals to protect their privacy from intrusion by the government.