Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill, dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was… Senator Wyden, of course, who rightly pointed out that this bill is “not a cybersecurity bill – it’s a surveillance bill by another name.”
The good folks over at the EFF have a rundown on why the bill is terrible:
Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called “defensive measures” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat.” “Cybersecurity purpose” is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a “cybersecurity threat,” which includes anything that “may result” in an unauthorized effort to impact the availability of the information system.
Even with the changed language, it’s still unclear what restrictions exist on “defensive measures.” Since the definition of “information system” is inclusive of files and software, can a company that has a file stolen from them launch “defensive measures” against the thief’s computer? What’s worse, the bill may allow such actions as long as they don’t cause “substantial” harm. The bill leaves the term “substantial” undefined. If true, the
countermeasures“defensive measures” clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some “active defense” (aka offensive) cybersecurity companies, but does not favor the everyday user.
Second, the bill adds a new authority for companies to monitor information systems to protect an entity’s hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.
Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn’t great, but DHS is the best option if you’re debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn’t then get to parse through it and figure out where it goes. Instead, the info needs to be shared “in real time” with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against “cybersecurity attacks.”
But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you’ll notice they don’t have an answer. That’s because it’s not a cybersecurity bill at all. It’s just a bill to try to give the government more access to your user info.