After a long campaign against the original Cybersecurity Information Sharing Act (CISA), privacy advocates, civil liberties groups, legal experts, and ordinary citizens, have all been left dismayed with the bill’s contentious features being forced into an omnibus bill that was passed by Congress last week.
The year-end spending bill, which was signed into law, covered a lot of ground and it was highly unlikely to be voted down as this would have led to a government shutdown. The spending bill accounts for $1.15 trillion and had the CISA measures tacked on by House speaker Paul Ryan.
Proponents of the new measures, dubbed the Cybersecurity Act of 2015, say it will help it combating cyber-attacks by allowing companies and organizations to share data while the bill’s opponents said it was another overreach of government surveillance. Here’s what you need to know.
1. Major tech companies hate it
Image courtesy of Getty Images / Justin Sullivan
In the ongoing back and forth between Silicon Valley and the US government, typified by the encryption debate, many of tech’s biggest companies opposed CISA and as a result, this new cybersecurity law too. Reddit, Yelp, Twitter, and unsurprisingly Apple have all voiced opposition to these measures. At the same time a number of trade groups have held similar positions. These include groups with members like Facebook and Amazon. However these companies haven’t taken their own individual stance on the issue.
2. Information sharing may not help
Under the measures, companies can share data with the government but there appears to be little oversight to manage this. Companies need to keep an eye out for a “cyber threat indicator”, which would inform their decision to share the data with authorities. At the same time there is no way to prove that sharing this data could prevent a cyber-attack or that companies will be penalized for sharing “irrelevant” data on users, which would be a breach of privacy. Finally, there are also concerns over the government gathering huge swathes of data from companies like this, which could, in theory, create a centralized database of user info that hackers could target.
3. Accountability is restricted
Image courtesy of Getty Images / Mark Wilson
Senator Ron Wyden, from Oregon, called the bill “badly flawed” filled with “unacceptable surveillance provisions” that were in need of more rigorous debate. “It contains substantially fewer oversight and reporting provisions than the Senate version did,” he said, adding that bodies like the CIA will be less accountable for their actions and have few rules that compel them to take part in investigations into the use of data.
4. Little fanfare
Image courtesy of Getty Images / Tom Williams
Since the bill was passed and signed by Obama, the new cybersecurity measures have been picked apart and criticized heavily. However in the run up to the vote, there was much less fanfare than the previous versions of CISA garner. This has come in for some serious criticism. Justin Amash, a Michigan Republican, said Congress was “kept in [the] dark” over the addition of CISA to the spending bill so as to ensure that opponents “don’t have time to rally opposition to particular measures.”
5. The future is unclear
That remains to be seen exactly. Supporters of the bill have welcomed its passing. Organizations like the National Retail Federation said that it will “create an atmosphere of community vigilance that will ensure that consumers’ sensitive data is kept safe.” Now that the government has a new means to gather people’s data, it will have to face growing pressure to keep it secure; just look at hacks like that seen at OPM this year but at the same time the expanding surveillance culture will likely continue under the banner of this act.
“Most members of Congress still don’t understand what it will actually do,” Evan Greer of the Fight for the Future told The Intercept, “which is to dramatically expand the U.S. government’s unpopular and ineffective surveillance programs and make all of us more vulnerable to cyber attacks by letting corporations off the hook instead of holding them accountable when they fail to protect their customer’s sensitive information.”