On Friday, Congress is poised to respond to Americans’ growing concerns about cybersecurity by passing legislation that trades our privacy rights for the temporary illusion of improved security.
Of course, we must improve our nation’s cybersecurity both in the government and in the private sector. Over the past two years, cybersecurity failures in the face of malicious attacks have become alarmingly common. The attacks have compromised sensitive government information, rattled our nation’s tech sector and exposed Americans’ personal information to the public.
But when Congress tackles these issues, we have to distinguish between thoughtful, targeted solutions to problems that empower private sector businesses and sweeping “solutions” meant to convey the appearance of improved security while actually harming it.
A measure slipped at the last minute into a government-funding bill that Congress is slated to vote on this week: the Cybersecurity Information Sharing Act.
If CISA’s only problem were that it’s ineffective, that would be one thing. We’d object to it, but perhaps not quite so strenuously. But CISA doesn’t just fail to address our existing cybersecurity problems; it stands to create a whole raft of new ones.
Worse still, by slipping this bill into must-pass legislation, House leaders are giving privacy-minded members of Congress an impossible choice: allow a bill that threatens Americans’ civil liberties to become law or force a government shutdown.
Forcing representatives to sell out their constituents in this way as a condition of funding the basic operations of the government hardly seems consistent with the “open process” and “regular order” that Speaker Paul Ryan and Senate Majority Leader Mitch McConnell have repeatedly promised.
CISA’s premise is simple: The bill would encourage companies to share information about cyberthreats with the federal government by granting them protection from liability.
In theory, the bill is meant to combat big hacks such as those that affected Sony, Anthem or Home Depot. But in practice, CISA probably wouldn’t have stopped any of these well-publicized attacks and probably won’t stop future ones.
Why? Because information-sharing is only a small part of the comprehensive cybersecurity strategy we need to protect ourselves from hackers — and it’s not even one of the important parts.
Instead of limiting our focus to information sharing, we should be addressing how rarely cybersecurity best practices are used on both private- and government-operated networks. Too many public and private entities simply don’t take advantage of tools already at their disposal to protect themselves from hackers. No amount of information sharing will help solve that problem.
And what’s the price of this false sense of security?
A dangerous disregard for the privacy rights of the individuals whose personal information is located on companies’ networks (likely including yours). CISA would give the National Security Agency and other federal agencies broad new discretion to scrutinize and store Americans’ private information — even in the absence of evidence that the information is relevant to a cyberthreat.
We know how that movie ends. The federal government has an exceptionally poor record of behaving responsibly with Americans’ personal information when entrusted with it. The NSA has broken privacy rules or overstepped its legal authority thousands of times a year since Congress gave it broad new powers in 2008.
Lawmakers who support CISA will tell you the bill includes some privacy protections. They’re right. But these “protections” are superficial and include broad loopholes that are so far-reaching as to render the protections meaningless.
For example, the bill includes language directing companies to “scrub” information clean of any personally identifiable information before sharing it with the government. But the way the bill is written, companies are only directed to scrub personal information if they have affirmative evidence that the information is not relevant to a cyberthreat — a virtually impossible standard since it requires the company to prove that something doesn’t exist.
Now that CISA will soon become law, companies will be encouraged to disseminate information about our patterns of Internet use and even the content of our online communications to the government in virtually all circumstances.
We all agree that Congress must take action to stop attacks on cybernetworks and safeguard Americans’ private information. CISA, however, is nothing more than a surveillance bill disguised as a solution to that problem.