The CISA Fight: Can Congress Fight Cyberattacks Without Compromising Privacy?

November 6th, 2015

By CHHS Research Assistant Jules Szanton

Over the past several years, several high profile data breaches have proved costly to American firms and citizens, and the public is increasingly concerned that online data is vulnerable to hackers.  The federal government, however, is in a tricky position when it comes to countering these challenges: many people don’t trust a prominent federal agency charged with countering cyber threats, and most are unwilling to sacrifice privacy to gain online security.

For several years, Congress has been wrestling with the question of how to help websites protect user data without making the same user data vulnerable to government spying. After years of failed attempts, Congress may be on the verge of passing a cybersecurity bill.  Yet many civil libertarians warn that the bill compromises privacy.

On October 27, the Senate passed the Cybersecurity Information Sharing Act (CISA) by a lopsided vote of 74-21. This past spring, the House of Representatives passed a companion bill, the Protecting Cyber Networks Act (PCNA), by a similarly decisive margin of 307-116.  Now that both houses of Congress have passed versions of the legislation, the House and Senate will convene a conference committee to reconcile the two bills and submit a single text for a vote in both chambers.  President Obama is likely to sign the bill, although he has asked the conference committee to make several revisions.

Both the CISA and PCNA work the same way. Companies with websites that collect personal information are incentivized, but not required, to share information about cyberattacks they’ve faced with other firms and with government agencies.  To entice companies to share information about data breaches, the bills protect cooperating companies from lawsuits stemming from the attack.  (Companies can only be sued if they are found to have engaged in either willful misconduct or gross negligence.)  Supporters of the bills believe that when companies can compare notes on threats they face, all firms will end up with better information on how to protect themselves from large-scale cyberattacks.

To opponents, however, the bill is a dangerous expansion of the federal government’s power to spy on private citizens. The bill incentivizes companies to share “cyber threat indicators,” a category of information that opponents warn is overbroad, poorly defined, and can include evidence of offline crimes like robbery or firearm offenses.  Many opponents also suspect that the government will end up receiving personal identifying information from companies, and will use the information to surveil American citizens.  Other opponents have questioned whether sharing more information with the federal government would actually work as a means of combating cyberattacks.

Interestingly, the debate over the cybersecurity bills has scrambled traditional party alliances. The bills passed with large majorities in both the House and Senate.  Support for the bills was bipartisan, with the Republican chairman of the Senate Select Committee on Intelligence (SSCI) and the panel’s top Democrat even releasing a joint press release in support of CISA.  Opposition to the bills was also bipartisan.  Members of Congress from both major parties voted against the bills, and both right-leaning and left-leaning civil liberties groups opposed the legislation.

Perhaps because both parties contain devotedly civil libertarian constituencies that are skeptical of the two bills, some lawmakers who opposed CISA or PCNA hope that the conference committee will address their concerns. For example, Senator Ben Cardin (D-MD) opposed CISA but says the he would support a final bill with more limits on what sort of information could be shared with the government.

Advocates of the two bills recognize that a final vote is unlikely to happen before January, when Congress returns from its winter break.  That leaves several more weeks for debates between privacy watchdogs and cybersecurity advocates to play out, as lawmakers seek a final product that can appease as many constituencies as possible.

Print Friendly

Comments are closed.