Wolverton: CISA tucked into spending bill, looks set to pass

CISA — the cybersecurity bill that will likely undermine privacy, but do little to actually protect computer systems — is now on the fast-track to becoming law.

In closed-door, late-night negotiations over a so-called omnibus spending bill to fund the government for the next year, congressional leaders quietly inserted the Cybersecurity Act of 2015, aka CISA. Because it’s such a critical measure, the spending bill is almost guaranteed to be passed and signed into law by the president, meaning so too is CISA.

But that’s not the worst of it. The version of CISA incorporated into the spending bill is apparently stripped of even the weak privacy protections that were included in the version of the cybersecurity bill that the Senate passed in October. So not only is CISA likely to become the law of the land, but it’s going to be even worse bill than was imagined just a few weeks ago.

Techdirt gave a rundown this morning on the omitted provisions. Compared with the previous bill, the new version in the spending bill:

  1. Removes a bar on sharing information with the National Security Agency, allowing companies to hand over information directly to the nation’s chief surveillance organization;
  2. Eliminates any limits on using information collected under CISA for surveillance;
  3. Excises provisions that would have barred the government from using information collected under CISA for anything other than cybersecurity purposes, effectively allowing it to be used to target criminal activity that has nothing to do with hacking or computer security breaches;
  4.  Remove a provisions that would have required companies, before sharing information with the government, to redact customers’ personal information if it had nothing to do with a cybersecurity threat.

As Techdirt and others pointed out, the new provisions would make it more likely that CISA will be used as a backdoor for surveillance of American citizens and to track not just cybersecurity threats, but a whole range of unrelated activities.

CISA has been promoted as response to growing concerns about cybersecurity amid a range of massive hacking attacks, such as those on Home Depot and Target. The bill ostensibly seeks to encourage companies to share information about hacking attacks and other cybersecurity threats in a more timely fashion with other companies and the federal government in order to allow for a more coordinated and speedy response.

But the bill would give companies that share information with the government immunity from lawsuits, which, critics have noted, would simultaneously encourage them to share users’ personal data while taking away the incentive for them to better protect the personal data they hold.

CISA opponents have gone into overdrive on Twitter and elsewhere, trying to get word out about the new provisions and to try to wage a last-gasp battle to stop it. But few were holding out much hope.

Photo: Sen. Dianne Feinstein, a co-sponsor of CISA,  from Getty Images


Tags: , , , , , ,


Share this Post