May 10, 2015

How CISA Threatens Both Privacy and Cybersecurity


CISA actually bucks the usual liberty/security trade-off, because it threatens our civil liberties without meaningfully improving cybersecurity—and could potentially even weaken it. We should dump this Trojan and focus on developing bottom-up, collaborative security practices that will actually work.

Contact us
To speak with a scholar or learn more on this topic, visit our contact page.

This May, Congress is expected to come together on a bill to protect private entities that secretly share user data with federal agencies. Privacy advocates say the Cybersecurity Information Sharing Act (CISA) threatens Americans' civil liberties by sanctioning yet another avenue for government surveillance. But there's another big problem as well: CISA is unlikely to meaningfully prevent cyber-attacks as proponents claim, and could ultimately weaken cybersecurity.

The stated premise behind laws like CISA (and the defeated 2013 Cyber Intelligence Sharing and Protection Act) is that cyber-attacks can be prevented if private network operators are able to quickly report and disseminate information about new threats and vulnerabilities. Proponents envision a seamless, national cybersecurity-threat system to roust the hackers, coordinated by the federal government.

Existing private and public information sharing initiatives do not go far enough, CISA advocates claim, because private companies fear lawsuits from customers who may not agree that their security is improved when spooks can surreptitiously search their personal data. To overcome this purported problem, CISA would extend legal immunity to corporations that choose to grant the Department of Defense (DOD), Department of Homeland Security (DHS), and Director of National Intelligence (DNI) access to customer data considered relevant to a "cybersecurity threat." This data could then be shared or concealed at federal agencies’ discretion.

Continue reading