Right before Congress left for its annual summer vacation the Obama Administration endorsed the Senate Intelligence Committee's Cybersecurity Information Sharing Act (CISA). EFF opposes the bill because its vague definitions, broad legal immunity, and new spying powers allow for a tremendous amount of unnecessary damage to users' privacy. Just last week the Department of Homeland Security agreed and criticized CISPA for its lack of privacy protections. More importantly, CISA fails to address the causes of the recent highly publicized data breaches.
The Obama administration's endorsement is a complete reversal from its previous stance on privacy-invasive cybersecurity bills. In 2012, the White House published a detailed two-page veto threat against CISA's antecedent, the Cybersecurity Information Sharing and Protection Act (CISPA). In the letter the Administration noted CISPA:
lacks sufficient limitations on the sharing of personally identifiable information between private entities
and that it would
inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life.
The same is true of CISA, which is why the Administration should've vetoed the bill. Like CISPA, CISA
- Adds a new authority for companies to monitor information systems to protect an entity's hardware or software.
- Fails to mandate companies and the government remove unrelated personal information before sharing it with government agencies like the NSA.
- Grants broad legal immunity to companies for sharing more private information with the government than they’re currently permitted to do.
Lastly, CISA, like CISPA, doesn't address problems identified by recent data breaches like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
The administration has invested immense capital into looking strong on cybersecurity since January. And instead of publishing another veto threat, the White House Press Secretary urged the Senate to pass CISA. There was no deep analysis as in 2012. There was no explanation about CISA's own privacy problems. And there was no acknowledgement about the White House's sudden change in position.
Even though the President wants to sign the bill, the Senate must pass CISA first. Privacy advocates have defeated these "cybersecurity bills" five times in the past five years. In July, users and privacy advocates postponed a vote on CISA after sending over 6 million faxes opposing CISA to Senators during a Week of Action. Unfortunately, the vote was only postponed to mid-September when Congress gets back from vacation.
We must continue the pressure on the Senate to stop this bill. Please join us in continuing to tell our Senators to say no to CISA.