BY LEE FANG
Since November 11, 2011, with the introduction of the Cyber Intelligence Sharing and Protection Act, American spy agencies have been pushing laws to encourage corporations to share more customer information. They repeatedly failed, thanks in part to NSA contractor Edward Snowden’s revelations of mass government surveillance. Then came Republican victories in last year’s midterm Congressional elections and a major push by corporate interests in favor of the legislation.
Today, the bill is back, largely unchanged, and if congressional insiders and the bill’s sponsors are to believed, the legislation could end up on President Obama’s desk as soon as this month. In another boon to the legislation, Obama is expected to reverse his past opposition and sign it, albeit in an amended and renamed form (CISPA is now CISA, the “Cybersecurity Information Sharing Act”). The reversal comes in the wake of high-profile hacks on JPMorgan Chase and Sony Pictures Entertainment. The bill has also benefitted greatly from lobbying by big business, which sees it as a way to cut costs and to shift some anti-hacking defenses onto the government.
For all its appeal to corporations, CISA represents a major new privacy threat to individual citizens. It lays the groundwork for corporations to feed massive amounts of communications to private consortiums and the federal government, a scale of cooperation even greater than that revealed by Snowden. The law also breaks new ground in suppressing pushback against privacy invasions; in exchange for channeling data to the government, businesses are granted broad legal immunity from privacy lawsuits — potentially leaving consumers without protection if companies break privacy promises that would otherwise keep information out of the hands of authorities.
Ostensibly, CISA is supposed to help businesses guard against cyberattacks by sharing information on threats with one another and with the government. Attempts must be made to filter personal information out of the pool of data that is shared. But the legislation — at least as marked up by the Senate Intelligence Committee — provides an expansive definition of what can be construed as a cybersecurity threat, including any information for responding to or mitigating “an imminent threat of death, serious bodily harm, or serious economic harm,” or information that is potentially related to threats relating to weapons of mass destruction, threats to minors, identity theft, espionage, protection of trade secrets, and other possible offenses. Asked at a hearing in February how quickly such information could be shared with the FBI, CIA, or NSA, Deputy Undersecretary for Cybersecurity Phyllis Schneck replied, “fractions of a second.”
Questions persist on how to more narrowly define a cybersecurity threat, what type of personal data is shared, and which government agencies would retain and store this data. Sen. Ron Wyden, D-Ore., who cast the lone dissenting vote against CISA on the Senate Intelligence Committee, declared the legislation “a surveillance bill by another name.” Privacy advocates agree. “The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans,” argues a letter sent by a coalition of privacy organizations, including Free Press Action Fund and New America’s Open Technology Institute. Critics also argue that CISA would not have prevented the recent spate of high-profile hacking incidents. As the Electronic Frontier Foundation’s Mark Jaycox noted in a blog post, the JPMorgan hack occurred because of an “un-updated server” and prevailing evidence about the Sony breach is “increasingly pointing to an inside job.”
But the intelligence community and corporate America have this year unified behind the bill. For a look into the breadth of the corporate advocacy campaign to pass CISA, see this letter cosigned by many of the most powerful corporate interests in America and sent to legislators earlier this year. Or another letter, reported in the Wall Street Journal, signed by “general counsels of more than 30 different firms, including 3M and Lockheed Martin Corp.”
The partnership between leading corporate lobbyists and the intelligence community was on full display at a cybersecurity summit hosted by the U.S. Chamber of Commerce a few days before the midterm election last year, in which NSA director Admiral Mike Rogers asked a room filled with business representatives for support in passing laws like CISA. At one point, Ann Beauchesne, the lead homeland security lobbyist with the U.S. Chamber of Commerce, asked Rogers, “How can the chamber be helpful to you?” — even suggesting a viral marketing campaign akin to the “ALS ice bucket challenge” to build public support.
Rogers specifically mentioned during his speech before the Chamber how corporations who partner with agencies like the NSA can shift some of their information security work to the government — a major cost savings. “You have information that I need and I think I have information that can be of value to you,” Rogers said.
At the moment, there are multiple versions of CISA, including information sharing proposals from the House Homeland Security Committee and Sen. Tom Carper, D-Del., but momentum has moved behind the Senate Intelligence Committee version, amended under Chairman Sen. Richard Burr, R-N.C., and Ranking Member Sen. Diane Feinstein, D-Calif. “The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly,” said Feinstein as CISA passed 14-1 in a secret, closed session of the Senate Intelligence Committee.
Reversing course over past opposition to the previous iteration of the bill, CISPA, the White House has demonstrated firm support for information sharing legislation this year. And more importantly, the Senate has drastically changed, helping to create a far more National Security Agency-friendly Congress. Sen. Mark Udall, D-Col., the chief opponent of CISA last session, was defeated in his reelection campaign last November, and the new Senate Majority Leader Sen. Mitch McConnell has made CISA a “priority.”