Greetings and salutations!
So as with recent events, one of the bills that have been dreaded by those that partake in anything cyber security and privacy matters has passed Senate. This act is none other than the Cybersecurity Information Sharing Act (CISA) and it calls for the sharing of cyberthreat indicators between public and private sectors.
Well, the sharing of this information could be good right? With cyberthreats on the rise, it would be good to have organizations focus on these and shut them down right? The NSA will certainly help us while maintaining our privacy right?
For one, that's a laughing matter.
This is why you should worry about this act.
As Edward Snowden best put it, CISA at its core is a "surveillance bill".
CISA is the key that the National Security Agency (NSA) needed to be able to funnel more Internet users' information. This means that this is not in the name of intelligence surveillance, but rather it is just so they can analyze the data.
This also includes the fact that this act isn't even for the protection of user privacy, but rather its claims involve "protecting against cyberattacks by enhancing information sharing". This bill isn't for enhancing the defenses of an organization - it's not for the prevention of cyber attacks. This whole bill is just a massive blow to the idea of protecting our private information.
The worst part though? It passed 74-21.
In the instance of a security breach or any major incident, there is a high likelihood that the victims' data would be exposed, and under CISA, those victims would have no protection and no recourse for their exposed data. Those that share data and "accidentally" expose customer information are protected from lawsuits. But hey, that's good for the companies who comply right? The light of being legally immune to a whole range of trust such as Antitrust and Freedom of Information Act (FOIA) can be appealing to some. Also, when the company in question is sending threat information to the government, the bill won't - and can't - protect users' privacy.
It's a whole mess altogether.
CISA doesn't make companies remove unrelated personal information; these documents do not get scrubbed down to get rid of the Personally Identifiable Information (PII). Even the Department of Homeland Security (DHS) agrees that CISA is fundamentally flawed.
At its core, CISA is nothing more than just an overflow of information coming from an organization and being funneled to security agencies under the idea that this is "vital" for protecting computers, and to lead to an end of cyberthreats, where relevant information is classified as "everything", and despite already reporting information in the case of public releases, private communications, and Information Sharing and Analysis Centers (ISAC), it's just not enough.
Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act would be precluded or at least sharply descripted
-Electronic Frontier Foundation (EFF)
There is a tremendous amount of privacy threat and a whole slew of new spying powers and broad legal immunity wrapped up in this act. From a personal standpoint, I stand with the EFF in trying to stop CISA. CISA proposes to protect our information by releasing it to these security agencies, where they are under an umbrella of immunity to pursue any manner of legal action.
What do I think should happen?
Well for starters we shouldn't have a bill passed that takes away any manner of privacy. Rather we can encourage businesses to consider their position within Information Governance. They need to educate their employees and end users since a majority of these breaches may occur from the inside. Educated users are less prone to making large scale mistakes, and understanding your own organization is one of many steps that should already be covered. We don't need every organization and everyone to know what lies within to the number, so throwing away everything we've worked for in establishing privacy would be a bad move.
But hey, that's just my view on the matter.