Senate Prepares to Vote on Cybersecurity Information Sharing Act (CISA)

Today, the U.S. Senate is scheduled to vote on the Cybersecurity Information Sharing Act (CISA), which is a serious threat to civil liberties and privacy.

CEI’s Ryan Radia offered these thoughts:

CISA doesn’t provide any meaningful deterrent against government agencies using information they receive from companies in ways that exceed the uses authorized by the Act. Although CISA requires agencies to issue guidelines that are supposed to prevent the misuse of information shared under the Act, this is hardly reassuring. Agencies violate their own internal procedures and guidelines all the time with impunity, from the IRS to the State Department.

That’s why it’s critical that any cyber information sharing legislation include a provision that gives relief to individuals injured by governmental misuse of information shared by companies. In this Congress, and in the last two Congresses, the House passed cyber threat information sharing legislation that allowed injured parties to sue the government for damages (i.e., a waiver of sovereign immunity). Another approach to deterring misconduct, used in the Wiretap Act, would bar the government from using evidence in court that is derived from shared cyber threat information for purposes beyond those allowed by the bill. Either a waiver of sovereign immunity or a suppression remedy needs to be included in any bill that liberalizes information sharing, or else companies won’t be able to meaningfully ensure that the government doesn’t use information they share with it for impermissible purposes.

Read more on CISA:

CISA Steps into the Limelight with a Manager’s Amendment and Agency Discontent

Yesterday was a busy day regarding the Cybersecurity Information Sharing Act (CISA). Sens. Dianne Feinstein and Richard Burr, the cosponsors of CISA, introduced a manager’s amendment that addresses some of the more concerning elements in the bill.

The amendment, however, is far from perfect.

In particular, it does not address the lack of remedies for individuals damaged by government abuses committed under the cover of cyber-threat prevention. As Ryan Radia, associate director of technology studies at the Competitive Enterprise Institute, notes:

[It is] critical that any cyber information sharing legislation include a provision that gives relief to individuals injured by governmental misuse of information shared by companies. In this Congress, and in the last two Congresses, the House passed cyber threat information sharing legislation that allowed injured parties to sue the government for damages (i.e., a waiver of sovereign immunity). Another approach to deterring misconduct … would bar the government from using evidence in court that is derived from shared cyber threat information for purposes beyond those allowed by the bill. Either a waiver of sovereign immunity or a suppression remedy needs to be included in any bill that liberalizes information sharing, or else companies won’t be able to meaningfully ensure that the government doesn’t use information they share with it for impermissible purposes.

Senate intel committee’s draft cybersecurity legislation gets panned by privacy, security coalition

According to the letter – signed by groups such as New America’s Open Technology Institute, American Civil Liberties Union and Competitive Enterprise Institute and security experts such as Bruce Schneier – the Cybersecurity Information Sharing Act, or CISA, of 2015 “would significantly undermine privacy and civil liberties.”

Controversial Cyber Security Bill Advances

Privacy groups, however, contend that the legislation does not do enough to protect private information. In a letter sent last month to Feinstein and Chambliss, the American Civil Liberties Union, the Center for Democracy and Technology, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and more than a dozen other advocacy groups warned that CISA ignores the outcry over the revelations about the scope of NSA data gathering.

“Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA,” the letter said. “CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cyber security legislation the Senate last considered.”

 

Update: The Senate failed to gain cloture for a vote on CISA on August 5. The vote has now been pushed until after August recess.