If you value security over your privacy, you might applaud the US Senate's vote Tuesday to pass the controversial Cybersecurity Information Sharing Act (CISA).
The bill allows companies to voluntarily share evidence of cyberattacks with the US government, without fear of lawsuits if that information also violates your privacy. Proponents say CISA makes it easier for the government to coordinate threat information and responses across the companies and organizations that need it.
Opponents, including Apple and more than 20 other leading tech companies, say the bill could give the government even greater leeway to spy on US citizens. The ayes had it on the Senate floor. "While there is no silver-bullet solution to stopping cyberattacks, this legislation is a positive step toward enhancing our nation's cybersecurity," US Chamber of Commerce President and CEO Thomas J. Donohue said in a statement. He called CISA a victory for cybersecurity.
In contrast, Minnesota Democrat Al Franken was among the 21 senators voting against CISA and quickly expressed his disappointment. "There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security: this bill doesn't do that," he said in a statement. Apple, Twitter and Dropbox declined to comment on the passage of the bill, though they all opposed the bill before its passage.
The vote Tuesday marks the end of a five-year struggle to encourage companies to share information about cyberthreats with the Department of Homeland Security. CISA was first introduced in 2014 but failed to reach the Senate before that session of Congress ended. Two years ago, the Cyber Intelligence Sharing and Protection Act (CISPA) was approved by the House, but died in the Senate. President Barack Obama said he supports the bill.
High-profile cyberattacks on government agencies and companies such as Sony, United, and Ashley Madison might have prompted the Senate to approve the bill, security experts say. "With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity," Mark Jaycox of the Electronic Frontier Foundation said in a statement Tuesday. "It chose to do the wrong thing."
At issue is the fact that CISA allows companies to share information directly with law enforcement and intelligence organizations. Even more troubling, that information can include email, text messages and other data that can identify individuals. Companies are supposed to delete that information before they send it, but there's always the chance that our "personal identifiers" could still slip through. "I do not believe [CISA] imposes a sufficiently stringent standard for the removal of irrelevant personally identifiable information," Deputy Secretary Alejandro Mayorkas wrote in a letter to Franken.
The bill as written "raises privacy and civil liberties concerns," Mayorkas noted. After the vote Tuesday, NSA whistleblower Edward Snowden tweeted the names of senators who approved the bill. CISA now heads to a conference of Congress members who will match the passed Senate and House bills before sending it to Obama's desk.
