In the wake of huge government data breaches carried out by suspected Chinese hackers—intrusions that may have exposed the records of millions of federal employees—Senate lawmakers are pushing a controversial cybersecurity bill that privacy experts say would do little to stop future breaches but would give the government access to a trove of Americans’ private information.
Dubbed the Cybersecurity Information Sharing Act, or CISA, the bill is similar to the Cyber Intelligence Sharing and Prevention Act (CISPA), a measure that stalled in the Senate in 2013 over privacy concerns. It grants private companies, including technology and telecommunications firms, legal protection if they share more data on cybersecurity threats with the government. The government currently needs a court order to obtain such material, which could include the personal information of customers. CISA would end that requirement.
Proponents of CISA say the legislation would allow companies to more easily share information on how hackers operate and what tactics they use to breach networks or accounts, which would help the government identify and stop future attacks more quickly. But privacy experts fear private consumer data may be included in the information that companies supply to the government. For example, companies might include the browsing activity of a person whose online accounts have been targeted by hackers.
“This isn’t a cybersecurity bill—it’s a surveillance bill,” says Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. “There is absolutely no reason to think that that is going to provide any significant cybersecurity benefits.”
Cybersecurity experts also note that this legislation would do little, if anything, to thwart data breaches. “I’m not aware of a single computer security researcher or practitioner who has…gotten up and said this sort of information sharing will meaningfully reduce the likelihood of attack or the severity of breaches or any of the sorts of things you’d want to address,” says Jonathan Mayer, a computer scientist and scholar at the Center for Internet and Society at Stanford University.
Many lawmakers contend that sharing information on past attacks and intrusions would help the government stop cyberattacks, such as the recent hacks on the Office of Personnel Management, in which the records of at least 4.2 million government workers were compromised. The records included the sensitive data collected from intelligence workers during background investigations.
Sen. Richard Burr (R-N.C.) and Sen. Dianne Feinstein (D-Calif.), the chair and ranking member of the Senate Intelligence Committee, have both cited the hacks as one reason the government needs more information from the private sector.
“The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals,” Burr, the bill’s sponsor, said in a statement last week. “Not only does CISA propose a solution to help address these threats, it does so in a way that works to ensure the personal privacy of all Americans.”
But the OPM hacks appear to have taken place because of a lack of relatively basic security procedures like routine security reviews and data encryption. (At a congressional hearing on Tuesday, officials from the OPM and other federal agencies blamed outdated networks for their inability to adopt some of those measures.) CISA would not address any of the long-standing security flaws documented in an inspector general’s report on the OPM last November; the report called the agency’s security efforts a “significant deficiency.”
“It is very hard to believe, in many of the high-profile instances [of hacking], that a legislative approach like CISA would have prevented the breach—would have even meaningfully increased the speed with which the breach was identified,” says Mayer, the Stanford fellow.
In an email to Mother Jones, an intelligence committee aide noted that “the bill isn’t intended to end all cyberattacks, but rather to reduce successful attacks in the future by sharing knowledge about past attacks.”
Experts disagree on whether personal data may be shared in the process. Goitein, of the Brennan Center, says CISA “allows the government to pressure phone companies into turning over huge amounts of their customer data on a vague suspicion of a cyber threat. It’s going to be full of personally identifiable information on the customers.” But Daniel Castro of the Information Technology and Innovation Foundation notes the information will mostly relate to technical details of internet traffic. “It’s not going to be really content based, in terms of ‘somebody said something,'” he says.
Both he and Mayer point out that private companies already engage in information sharing under current laws, which place much tighter constraints on the kind of data that can be released without a court order. Mayer argues that CISA’s looser restrictions are unnecessary. “I haven’t seen anyone point to a bundle of information that a business couldn’t have shared under [the Electronic Communications Privacy Act],” he says.
While the Senate rejected an attempt by Senate Majority Leader Mitch McConnell (R-Ky.) to attach CISA to last week’s defense authorization bill, it will likely enjoy broad support as stand-alone legislation, especially in the wake of the OPM debacle. The Senate Intelligence Committee passed CISA overwhelmingly in March, and the House of Representatives has already approved a version of it. Senators may take up CISA again after coming back from their summer recess.
Regardless of when the bill returns, civil liberties and privacy groups say they’ll fight CISA’s passage. Goitein warns that “if the American public lets Congress pass this bill, we’re gluttons for punishment. We’re just asking the government to donate more of our data to the Chinese government or whoever else is trying to hack into it.”