Congress’ Fix for Cyberattacks May Hand the Government More of Your Data

“This isn’t a cybersecurity bill—it’s a surveillance bill.”

iStockPhoto

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.


In the wake of huge government data breaches carried out by suspected Chinese hackers—intrusions that may have exposed the records of millions of federal employees—Senate lawmakers are pushing a controversial cybersecurity bill that privacy experts say would do little to stop future breaches but would give the government access to a trove of Americans’ private information.

Dubbed the Cybersecurity Information Sharing Act, or CISA, the bill is similar to the Cyber Intelligence Sharing and Prevention Act (CISPA), a measure that stalled in the Senate in 2013 over privacy concerns. It grants private companies, including technology and telecommunications firms, legal protection if they share more data on cybersecurity threats with the government. The government currently needs a court order to obtain such material, which could include the personal information of customers. CISA would end that requirement.

Proponents of CISA say the legislation would allow companies to more easily share information on how hackers operate and what tactics they use to breach networks or accounts, which would help the government identify and stop future attacks more quickly. But privacy experts fear private consumer data may be included in the information that companies supply to the government. For example, companies might include the browsing activity of a person whose online accounts have been targeted by hackers.

“This isn’t a cybersecurity bill—it’s a surveillance bill,” says Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. “There is absolutely no reason to think that that is going to provide any significant cybersecurity benefits.”

Cybersecurity experts also note that this legislation would do little, if anything, to thwart data breaches. “I’m not aware of a single computer security researcher or practitioner who has…gotten up and said this sort of information sharing will meaningfully reduce the likelihood of attack or the severity of breaches or any of the sorts of things you’d want to address,” says Jonathan Mayer, a computer scientist and scholar at the Center for Internet and Society at Stanford University.

Many lawmakers contend that sharing information on past attacks and intrusions would help the government stop cyberattacks, such as the recent hacks on the Office of Personnel Management, in which the records of at least 4.2 million government workers were compromised. The records included the sensitive data collected from intelligence workers during background investigations.

Sen. Richard Burr (R-N.C.) and Sen. Dianne Feinstein (D-Calif.), the chair and ranking member of the Senate Intelligence Committee, have both cited the hacks as one reason the government needs more information from the private sector.

“The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals,” Burr, the bill’s sponsor, said in a statement last week. “Not only does CISA propose a solution to help address these threats, it does so in a way that works to ensure the personal privacy of all Americans.”

But the OPM hacks appear to have taken place because of a lack of relatively basic security procedures like routine security reviews and data encryption. (At a congressional hearing on Tuesday, officials from the OPM and other federal agencies blamed outdated networks for their inability to adopt some of those measures.) CISA would not address any of the long-standing security flaws documented in an inspector general’s report on the OPM last November; the report called the agency’s security efforts a “significant deficiency.”

“It is very hard to believe, in many of the high-profile instances [of hacking], that a legislative approach like CISA would have prevented the breach—would have even meaningfully increased the speed with which the breach was identified,” says Mayer, the Stanford fellow.

In an email to Mother Jones, an intelligence committee aide noted that “the bill isn’t intended to end all cyberattacks, but rather to reduce successful attacks in the future by sharing knowledge about past attacks.”

Experts disagree on whether personal data may be shared in the process. Goitein, of the Brennan Center, says CISA “allows the government to pressure phone companies into turning over huge amounts of their customer data on a vague suspicion of a cyber threat. It’s going to be full of personally identifiable information on the customers.” But Daniel Castro of the Information Technology and Innovation Foundation notes the information will mostly relate to technical details of internet traffic. “It’s not going to be really content based, in terms of ‘somebody said something,'” he says.

Both he and Mayer point out that private companies already engage in information sharing under current laws, which place much tighter constraints on the kind of data that can be released without a court order. Mayer argues that CISA’s looser restrictions are unnecessary. “I haven’t seen anyone point to a bundle of information that a business couldn’t have shared under [the Electronic Communications Privacy Act],” he says.

While the Senate rejected an attempt by Senate Majority Leader Mitch McConnell (R-Ky.) to attach CISA to last week’s defense authorization bill, it will likely enjoy broad support as stand-alone legislation, especially in the wake of the OPM debacle. The Senate Intelligence Committee passed CISA overwhelmingly in March, and the House of Representatives has already approved a version of it. Senators may take up CISA again after coming back from their summer recess.

Regardless of when the bill returns, civil liberties and privacy groups say they’ll fight CISA’s passage. Goitein warns that “if the American public lets Congress pass this bill, we’re gluttons for punishment. We’re just asking the government to donate more of our data to the Chinese government or whoever else is trying to hack into it.”

IT'S NOT THAT WE'RE SCREWED WITHOUT TRUMP:

"It's that we're screwed with or without him if we can't show the public that what we do matters for the long term," writes Mother Jones CEO Monika Bauerlein as she kicks off our drive to raise $350,000 in donations from readers by July 17.

This is a big one for us. It's our first time asking for an outpouring of support since screams of FAKE NEWS and so much of what Trump stood for made everything we do so visceral. Like most newsrooms, we face incredibly hard budget realities, and it's unnerving needing to raise big money when traffic is down.

So, as we ask you to consider supporting our team's journalism, we thought we'd slow down and check in about where Mother Jones is and where we're going after the chaotic last several years. This comparatively slow moment is also an urgent one for Mother Jones: You can read more in "Slow News Is Good News," and if you're able to, please support our team's hard-hitting journalism and help us reach our big $350,000 goal with a donation today.

payment methods

IT'S NOT THAT WE'RE SCREWED WITHOUT TRUMP:

"It's that we're screwed with or without him if we can't show the public that what we do matters for the long term," writes Mother Jones CEO Monika Bauerlein as she kicks off our drive to raise $350,000 in donations from readers by July 17.

This is a big one for us. So, as we ask you to consider supporting our team's journalism, we thought we'd slow down and check in about where Mother Jones is and where we're going after the chaotic last several years. This comparatively slow moment is also an urgent one for Mother Jones: You can read more in "Slow News Is Good News," and if you're able to, please support our team's hard-hitting journalism and help us reach our big $350,000 goal with a donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate