The Cybersecurity Information Sharing Act is back, and, according to privacy advocates, it’s worse than ever, even as it seems virtually certain to become law as part of the omnibus Cybersecurity Act of 2015, which passed the House this morning by a wide margin.
Since the Cybersecurity Act is — other than CISA — more or less a routine funding measure, few lawmakers are expected to vote against the whole bill to prevent the divisive piece from heading to the president’s desk, and President Obama has publicly committed to signing the bill.
Privacy advocates are sounding the alarm over the provisions they see as worse in this version of CISA and the apparently backhanded tactics being used to avoid a real debate on the bill’s impact on privacy versus its value for cybersecurity. Nonetheless, the passage of some version of CISA appears imminent, as votes in the House and Senate could come as early as today.
CISA provides incentives to major tech companies to share user information with federal authorities. It also grants these companies immunity from prosecution under existing privacy laws, an issue that arose when the Edward Snowden leaks made it appear possible that companies were going beyond their legal authority to comply with government data requests.
These two provisions would open new channels for the sharing of information between government and private companies. But the House version of CISA does seem to open the channels even wider than the Senate bill. By defining the class of information that companies should deliver to the feds as anything related to “specific” rather than “imminent” threats, the House bill seems to provide a more general requirement that could result in even greater data collection.
The bill’s critics argue that the current drive for cybersecurity legislation came out of major breaches of both government and corporate data by foreign entities, yet the bill does little to address the issues that undergird those hacks. Instead it expands the more general powers of federal agencies to collect private data. As evidence, critics cite provisions in the House bill, which calls for establishing “portals” directly to law enforcement agencies rather than the the Department of Homeland Security.
Some are also criticizing President Obama for vacillating on cybersecurity, having initially promised to veto a CISA-predecessor called CISPA but now displaying no qualms about signing similar legislation. A senior administration official wrote in an emailed statement to the National Journal:
“We are pleased that the Omnibus includes cybersecurity information sharing legislation. The President has long called on Congress to pass cybersecurity information sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality, and civil liberties.”
The president’s initial announcement of his intent to veto CISPA had privacy advocates celebrating their defeat of the current push for a cybersecurity bill. Now, with Obama’s support and a path to majority support in both houses of Congress, CISA appears poised to become a reality.