The CyberSecurity Information Sharing Act of 2015 (CISA), is a law currently circulating through Congress in draft form. In a nutshell it is supposed to allow the sharing of threat indicators both to and from the federal government and private entities and corporations. The bill has been met with opposition, primarily from the ACLU (American Civil Liberties Union) and the EFF (Electronic Frontier Foundation).
The main concern is of course consumer privacy. The bill in its current form provides a blanket authorization for companies to monitor the internet activity of all of their users. That in itself doesn’t seem so bad since companies already have that authority. However, another provision in the bill requires the instantaneous sharing of that information with military and intelligence agencies like the NSA.
Is CISA starting to sound like a “cyber-surveillance” bill yet?
The bill does not require the sanitization of Personally Identifiable Information (PII) prior to transmission to government agencies. CISA also does not limit sharing only of cybersecurity information but also a wider range of offenses including crimes involving any level of physical force without that force causing bodily injury or death. One additional provision permits companies to take action against users (even innocent ones) without regard to the potential harm that could be caused.
The icing on the cake is that the bill also incorporates immunity to corporations from potential lawsuits further increasing the likelihood that the provisions in the bill will be acted on.
The Center for Democracy & Technology has written a letter to the Senate Select Committee on Intelligence outlining the objections of civil society organizations, security experts and academics and it can be viewed here: https://cdt.org/insight/letter-to-senate-select-cmte-on-cisa/
I am all for information sharing in the modern age that allows for the protection of consumer interests. However, how much of our rights to privacy should we throw away in order to “feel” safe?