The empire strikes back with CISA

The past few weeks have been a breath of fresh air for privacy activists. From passage of the USA FREEDOM Act to passage of various House amendments to further curtail NSA spying, civil liberties seem to be back in the limelight. However, the introduction of the Cybersecurity Information Sharing Act (CISA) represents the potential for a one-step-forward-two-steps-back approach to government surveillance reform.

Although CISA is ostensibly billed as a means of beefing up U.S. network security, its touted provisions do not actually improve security and seem more likely to grant broad discretionary powers to the same intelligence agencies recently reined in by USA FREEDOM.

{mosads}So what’s so bad about CISA?

To begin, much of the necessary information-sharing for cybersecurity is already occurring under existing laws. Specifically, technologists and network security specialists have publicly confirmed that CISA and other cyber-threat/information-sharing bills are entirely unnecessary, given the current arrangement between government entities and private firms. As various cybersecurity experts have maintained, there is no need for “new legal authorities to share information that helps [them] protect [their] systems from future attacks.” They said as much in a joint letter to Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.):

When a system is hacked, the compromise will leave a trail, and investigators can collect these breadcrumbs. Some of that data empowers other system operators to check and see if they, too, have been attacked, and also to guard against being similarly attacked in the future. Generally speaking, security practitioners can and do share this information with each other and with the federal government while still complying with our obligations under federal privacy law.

Additionally, these experts say they would be welcome legislative changes if they (1) limited the categories of information to be shared to only those requiring “securing systems against future attacks,” (2) mandated firms to scrub all personal identifiable information (PII) and other private data, and (3) did not permit shared information to be used for nonsecurity issues.

The New America Foundation’s Open Technology Institute recently put out a coalition letter on CISA concluding that its “overbroad monitoring, information sharing, and use authorizations effectively increase cyber-surveillance” and simultaneously undermine the cybersecurity objectives contained therein.

Among the more frightening elements of CISA is the authorization for law enforcement agencies to use information derived through companies’ voluntary dissemination to investigate and prosecute a wide array of garden-variety crimes — sans any pesky warrant. The USA FREEDOM Act might have ended the NSA’s bulk surveillance program under Section 215 of the USA PATRIOT Act, but CISA would effectively return, and expand, that power to the NSA under a new legal regime.

Other issues aside, it is ironic that the federal government would purport to increase the cybersecurity of private networks. The number of security failures reported by federal agencies has increased by over 1,000 percent in the past decade, from 5,502 in 2006 to over 61,000 in 2013. Redundant and overlapping agencies established to deal with cyber threats have only hindered the process of securing government networks, contributing to information overload, unclear responsibilities for various agencies, and conflicting policies on proper security responses among the various agencies. Indeed, as Andrea Castillo pointed out in a recent article for The Hill, “the federal government must get its own house in order before such comprehensive information sharing measures like CISA could be even technically feasible. But CISA would be a failure even if managed by the most well-managed government systems because it seeks to impose a technocratic structure on a dynamic system.”

Former NSA director Gen. Michael Hayden remarked on the recent passage of the USA FREEDOM Act this past Monday, bluntly pronouncing:

If somebody would come up to me and say “Look, Hayden, here’s the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you’re going to be required to do is that little 215 program about American telephony metadata – and by the way, you can still have access to it but you got to go to the court and get access to it from the companies, rather than keep it to yourself” – I go: “And this is it after two years? Cool!”

The former director’s candor in minimizing USA FREEDOM shines a light on just how pressing surveillance reform continues to be for privacy advocates and civil libertarians. Although USA FREEDOM was an important, albeit small, step in the right direction bills like CISA make it clear that the intelligence community is not backing away from its newfound powers without a fight.

Those of us concerned about beating back the ever-expanding Orwellian surveillance state must be constantly vigilant in the face of the intelligence community’s attempts at couching their surveillance powers in the language of “cybersecurity.” CISA, like other bills likely to come down the pipeline in the near term, is not primarily concerned with network security – it is nothing more than a vessel containing government-sanctioned surveillance.

Hagemann is the civil liberties policy analyst for the Niskanen Center, a libertarian nonprofit advocating pragmatic policy reforms.

Tags Dianne Feinstein Richard Burr

More Homeland Security News

See All
See all Hill.TV See all Video

Most Popular

Load more


See all Video