• United States



Stop CISA now!

Oct 21, 20155 mins
Data and Information SecuritySecurity

Stop CISA.

Many of the world’s top tech companies want to put a stop to the fundamentally flawed Cybersecurity Information Sharing Act (CISA) bill which is on the Senate floor.

Put another way on “Decide the future of the Internet,” the corporate scorecard lists companies against CISA as “Team Internet,” while “Team NSA” is “collaborating with the government to control the Internet.”

CISA will automate sharing with the following government agencies:

Although Senator Burr is active on Twitter and just yesterday called “CISA a community watch program against cyber threats,” he suggested he didn’t know anything about companies that oppose the bill. Previously, Burr had suggested that CISA might have prevented the Office of Public Management hack, but he currently suggested CISA would limit how much data got stolen in a series of hacks.

If his previous statements didn’t prove how truly clueless he is about CISA, Burr mentioned the high school stoner’s hack of CIA Director John Brennan and DHS Secretary Jeh Johnson, as if CISA could have stopped it from happening.

Both Burr and Senator Dianne Feinstein are on the Senate Intelligence Committee; since Burr is the chairman and Feinstein is the vice-chairman, then they clearly should understand cybersecurity and CISA. That doesn’t mean they do understand.

Feinstein believes the OPM hack was not as bad as the Sony hack. As Marcy Wheeler put it, Feinstein suggested “the Sony hack and the DDOS attacks on online banking sites that stole no data! — were worse than the OPM hack…If I were one of the 21 million people whose security clearance data had been compromised, [it] would make me very, very furious.” Feinstein “made it clear she doesn’t really understand how the information sharing portal works. She said something like, ‘Once cyber information enters the portal it will move at machine speed to other federal agencies,’ as if a conveyor belt will carry information from DHS to FBI.”

Yesterday, Feinstein published a press release which attempts to debunk the “myths” about CISA, calling it “100% false” to believe CISA is a surveillance bill. Really? It would allow information to be shared with the NSA in “real time“…even DHS seems displeased about that one as it would be usurped; the agency warned CISA “could sweep away important privacy protections.” The EFF said CISA’s “broad immunity clauses for companies, vague definitions, and aggressive spying powers make [it a] secret surveillance bill.” Feinstein said CISA is “100% voluntary,” which Wired called “the biggest myth of CISA.”

Yet Feinstein seemingly ignored the tech experts and instead tweeted about various CISA supporters.

On Monday, the 51 companies listed below, which make up the Protecting America’s Cyber Networks Coalition, claimed that changes to CISA should “put to rest any false claims that CISA is a ‘surveillance’ bill.”

Last week, members of the financial sector pledged strong support for CISA, urging Senate to pass the bill.

How handy, since CISA will make it very difficult if not impossible to punish these companies—to make them accountable – if they are breached. Participating in the program would basically grant them immunity from liability.

Senator Ron Wyden asked, “Who do you trust on privacy? Wall Street or tech experts?”

Errata Security’s Robert Graham tweeted, “I can find no cybersecurity experts (who aren’t tied to government) who support CISA.” He added, “To repeat: I’m one of the world’s foremost experts on the technical side of CISA. I believe it would have tiny benefit at best. …certainly the benefits of CISA are far less than the harm of invading people’s privacy and contributing to a cyber police state.”

Apple came out swinging against CISA last night. “We don’t support the current CISA proposal. The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”

Earlier this month, a coalition of security experts, civil liberties and privacy groups sounded the alarm and officially opposed the Computer Fraud and Abuse Act (CFAA) amendment added to the CISA surveillance bill. They wrote, “The amendment would exacerbate existing problems with the CFAA and enable prosecution of behaviors that are not malicious computer trespasses or hacking, which was the original and appropriate target of the CFAA. Worse, these changes are being rushed through Congress without adequate debate over the far-reaching effects of its provisions.”

Despite the ridiculous and often incorrect arguments by Burr and Feinstein, Senator Ron Wyden mentioned that Internet companies have come out against CISA, adding that “they’re doing so because they know the public no longer trusts many of those companies, and they don’t want a bill that will almost certainly be used for further surveillance efforts.”

The Computer & Communications Industry Association called on the Senate to improve, not approve, CISA. The CCIA wrote, “CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government. In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.”

“Republican Senate leaders appear intent on pushing ahead with this flawed cyber bill, despite a surge of opposition from the people and companies who know best,” Senator Wyden told Motherboard. “CISA won’t stop sophisticated hacks, but it will create a big new threat to the privacy of millions of individual Americans. And the netroots, respected technologists and tech companies have clearly said that they do not support it.”

If you haven’t already, then it’s time to add your voice to the opposition, as CISA is “officially on the Senate floor.” You can use the EFF’s Stop CISA tool or use the one provided by Fight for the Future and Restore the Fourth. Don’t delay…CISA won’t.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.