The Business Software Alliance (BSA) and the Computer and Communications Industry Association (CCIA), two leading tech industry trade associations, represent companies whose combined market valuation is well in excess of $2.5 trillion dollars — that's trillion. In the last few weeks, both trade associations have issued statements indicating that they oppose the Cybersecurity Information Sharing Act (CISA) on privacy and security grounds.
BSA made clear that it does not support CISA or either of the two information-sharing bills that passed the House of Representatives. BSA's stated opposition is rooted in privacy concerns; the trade association noted that it "has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress."
CCIA explained that it could not support CISA because "CISA's prescribed mechanism for sharing of cyber threat information does not sufficiently protect users' privacy or appropriately limit the permissible uses of information shared with the government. In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties."
CCIA further cautioned that if Congress does pursue information-sharing legislation, it "should not come at the expense of users' privacy, need not be used for purposes unrelated to cybersecurity, and must not enable activities that might actively destabilize the infrastructure the bill aims to protect."
While BSA and CCIA's opposition to CISA is notable because both groups represent some of the largest and most influential tech companies in the world, they are by no means the only major companies and organizations that oppose CISA. Mark Bennioff, CEO of SalesForce, a cloud computing company valued at over $52 billion, recently tweeted his opposition to CISA. The Wikimedia Foundation, parent organization of Wikipedia (the seventh most popular website in the U.S.), also voiced its opposition to CISA, and just this week, Twitter and Yelp followed suit.
Over 70 leading security experts, academics and civil society groups have also spoken out against CISA, warning that its weak privacy protections; overbroad monitoring, sharing and use authorizations; and its dangerous defensive measures provisions would harm average Internet users and undermine cybersecurity.
There are also serious concerns that CISA could undermine national security, since it would increase the government's access to and storage of threat data and personal information, even though the government is unable to securely receive or store that data. Further, the Department of Homeland Security (DHS) is concerned that CISA will reduce situational awareness of cyber threats because the bill would allow companies to share information with any federal entity, making it nearly impossible to quickly and effectively "connect the dots."
It is unclear why the Senate keeps pushing forward on a bill that even our biggest Internet companies don't support. The leaders of the tech industry, the security community, civil society and DHS, the federal government's civilian cyber lead, have all sent a clear message: CISA is significantly flawed. It would harm privacy and cybersecurity. It's time to go back to the drawing board and try a new approach to cybersecurity legislation.
Greene is policy counsel of the New America Foundation's Open Technology Institute.