Wednesday, 4 November 2015

CISA: Thankfully, Not Yet a Law

What do United States Senators Wyden, Heller, Leahy and Franken have in common?

They all tried to mitigate the potential damage of the Cybersecurity Information Sharing Act (CISA), but to no avail. Their proposed amendments would have protected personally identifiable information and the framework of the Freedom of Information Act, and restricted the definitions of cybersecurity threat and threat indicator.

Instead, last Tuesday, the Senate approved CISA as is by a vote of 74 to 21. The legislation will allow U.S. companies to voluntarily share user data with the U.S. Department of Homeland Security, which in turn could pass that data along to the NSA and FBI. The bill, already widely criticized by the civil liberties and technology communities alike, has repeatedly been associated with two main concerns: first, it will enable companies to share users’ information regardless of protections under other laws and agreements and second, it will empower the U.S. government to domestically prosecute foreign nationals who have committed cybercrimes against U.S. companies, regardless of their location.

SumRando reached out to Arnold Jin, Seattle attorney and former Government Surveillance Fellow at the American Civil Liberties Union of Washington (ACLU-WA), for his response to the legislation:

“The recent Senate vote in favor of S. 754, the Cybersecurity Information Sharing Act (CISA), is troubling and disappointing on many fronts. The issue of government intelligence gathering has never been one of access or lack of information amongst law enforcement agencies. What is troubling about the current CISA bill is that it uses broad and vague terms to define a ‘cyber threat indicator.’ It is largely an explicit way for the government to conduct mass surveillance under the guise of providing a ‘safe harbor’ for the companies who comply with this bill. It is not insignificant that many of the largest tech companies have signed letters in opposition to this legislation.
“The definition of who would be a cyber threat suspect is so broad that it will inevitably capture the data of innocent citizens who are engaged in completely benign behavior. Furthermore, mistakes will happen. S. 754 provides no mechanism for protecting the incorrect information that gets shared between parties and worse, brings such sharing to a global level, considering that most companies these days are multinational and have a physical if not virtual presence in several other countries. Another factor to consider is that when one person travels and uses a tech provider’s services in another country, does that information then become subject to domestic or international cyber threat assessments? That situation is decidedly much more common in this day and age of modern travel.

“At a minimum I would urge Congress to follow the recommendations made to the committee in the letter submitted by professors who research and/or teach cyber law and cybersecurity on October 26, 2015. That letter endorsed the previous concerns addressed by more than 60 technologists, which included the signatories of some of the most respected security researchers in the world who highlighted that the problem behind recent cyber attacks has nothing to do with security threat information sharing; rather, more ‘robust and meaningful private efforts to prevent intrusions into networks and leaks out of them’ are what is needed. CISA does nothing to advance those goals. As we saw with Sony last year, most system hacks are predicated on some sort of phishing or social engineering attack. Quite often the largest problem is not the setting of security policy or privacy by design principles, but rather mass consumer adoption of these privacy protective measures.”
CISA, ACLU, ACLU-WA, Arnold Jin, government surveillance, United States

CISA is currently being reconciled with the House of Representatives’ version of the bill; from there, President Obama is expected to sign it into law.

For now, however, CISA remains a bill under review. Take a moment to remind Congress that you do not support CISA at and to tell Obama that you believe the government should “reject any law, policy, or mandate that would undermine our security” by signing the petition, if you haven’t already.

Want to know more about U.S. cybersecurity? Read on!

SumRando Cybersecurity is a South Africa-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

No comments:

Post a Comment