MARK JAYCOX | EFF
Although grassroots activism has dealt it a blow, the Senate Intelligence Committee’s Cybersecurity Information Sharing Act (CISA) keeps shambling along like the zombie it is. In July, Senator McConnell vowed to hold a final vote on the bill before Congress left for its six-week long summer vacation. In response, EFF and over 20 other privacy groups ran a successful Week of Action, including over 6 million faxes opposing CISA, causing the Senate to postpone the vote until late September.
Senators submitted many amendments to the bill before going on vacation. The amendments, like the original language of the bill, fail to address key issues like the deep link between these government “cybersecurity” authorities and surveillance, as well as the new spying powers the bill would grant to companies.
But “cybersecurity” is already intimately tied to surveillance—a problem CISA would only worsen. Documents released by the New York Times reveal the government used the Comprehensive National Cyber Security Initiative (CNCI) to pay telecommunications companies to spy on consumers using their networks. The CNCI includes initiatives for information gathering, but it’s always been presented to the public as fostering research and encouraging public awareness of cybersecurity problems—not spying on Americans’ Internet traffic.
The revelations are stunning. The NSA paid telecommunications companies nearly $300 million dollars in the 2010 fiscal year to invest in surveillance equipment as part of the CNCI. In fact, STORMBREW’s Breckenridge site was “100% subsidized with CNCI funding.”
In contrast, the DHS only requested $37.2 million during the same time period to support research and development in cybersecurity science and technology. Even if DHS received what it requested, does the American public really want surveillance to outweigh research and education 10 to 1?
The news is compounded by other recently-released Snowden documents that show how the NSA uses foreign intelligence laws to run an intrusion defense system (IDS) on US soil. The documents show that a Justice Department memo gave the agency permission to monitor Internet cables, “without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware.”
CISA—and its amendments—do not even begin to address these serious problems. Instead, they mandate information sharing with the intelligence community, creating even more cyberspying.
EFF will continue to oppose CISA—even if some of these amendments pass—because CISA’s vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users’ privacy, and it’s highly unlikely that the public will learn about it. Even an amendment (#2612) offered by by Senator Al Franken, which narrows some of the definitions in CISA, does little to clarify its most troubling provisions.
What’s worse is that information-sharing bills like CISA are being painted as silver bullets to data breaches. They aren’t. The bills don’t address problems like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
Plenty of the amendments would make the bill even worse. We’ve already discussed the horrible CFAA amendment, #2626, proposed by Senator Sheldon Whitehouse. The amendment not only increases the scope of the already expansive Computer Fraud and Abuse Act (CFAA) but also authorizes injunctions against botnets (amending 18 U.S.C. § 1345) in a way that creates serious constitutional issues. After all, much of what DOJ and FBI want to do in shutting down botnets is, arguably, a search or a seizure under the Fourth Amendment; moreover, such injunctions may prevent users from communicating, thus raising First Amendment issues. The amendment is a great example of how not to amend the draconian CFAA. If the Senate wants to improve the CFAA, it should take a page out of our book.
Senator Carper has proposed another dubious change to CISA, amendment #2627. The bill attempts to codify the Department of Homeland Security’s EINSTEIN program without any public debate. EINSTEIN is an intrusion detection system—the parent of which was created by the NSA—to scan incoming Internet traffic to the federal government like emails and other connections. DHS has not told the public what agencies are using EINSTEIN. It’s possible that when you email your representative, DHS may also receive a copy. Before codifying EINSTEIN, DHS must be more transparent about the program. The most recent update from DHS about the program is from 2013, and many concerns have been raised about EINSTEIN’s legality and privacy implications. Unlike CISA, Senator Carper’s amendment mandates federal agencies create a plan to identify sensitive information and encrypt it; however, the clause exempts the Department of Defense and the intelligence community. Nor does the amendment authorize additional funding for federal agencies to improve security.
Senator Carper’s attempt to make a horrible bill marginally better is admirable, but he—along with other Senators—should oppose the bill. Even the best amendments fail to fix CISA’s serious flaws.
Not Awful Amendments
Some of the amendments try to narrow the scope of the bill. Senator Chris Coons’ amendment #2552 would limit information sharing to that necessary to describe or identify a cybersecurity threat, while Senator Wyden’s amendment (#2621) would require companies and the government to remove personal information unrelated to the threat.
But these well-meaning changes don’t address the root problems in the bill: the outrageously broad and vague definition of “cybersecurity threat” and the granting of new authorities to spy on users. Senator Franken’s amendment #2612 attempts to address that definition, but even his amendment isn’t enough. Again, no amendment scales back the two new authorities to spy on users and launch countermeasures in the bill.
Other amendments are better, including Senator Patrick Leahy’s #2587, which would remove the current CISA provision exempting all “cyber threat indicators and defensive measures” received by the government from disclosure under the Freedom of Information Act and may help ensure the public can obtain information about how, if CISA is enacted into law, the information “sharing” system actually operates; Senator Jeff Flake’s 6-year sunset (#2582); and, Senator Mike Lee’s email privacy amendment (#2556), which would codify US v. Warshak by amending the Electronic Communications Privacy Act to require warrants for email and other stored content.
While some advocates will paint these amendments as “steps forward,” the amendments merely shuffle deck chairs on the Titanic—even with the better amendments, the bill is still a bad idea. The Senators are going about the wrong strategy. Democrats and libertarian Republicans should be opposing CISA outright. That’s why we’re asking users to continue emailing their Senators to stop this bill. While CISA is the very definition of a zombie bill, the public outcry against it has made a difference. But we can’t stop now. Join us by tweeting, faxing, or emailing your Senator.