This holiday season, Congress quietly gifted a major expansion in digital surveillance to the intelligence community by ratifying a version of the controversial Cybersecurity Information Sharing Act (CISA). This information-sharing legislation has been widely decried by privacy activists, computer scientists, and technology companies for empowering government agents to access massive new datasets under the guise of "cybersecurity." But it wasn't enough for Congress to pass a standalone version of the bill that the Senate approved in October. Instead, our esteemed legislators snuck this big lump of security-state coal into the major omnibus budget bill that Obama signed into law December 18.
Like the much-maligned PATRIOT Act before it, CISA is the most recent incarnation of a bad idea that Congress has been hung up on for years now. First proposed in 2011 as the Cyber Intelligence Sharing and Protection Act (CISPA), the "information-sharing" policies at the heart of these measures are a not-so-subtle pretext for expanding the feds' ability to access data without a warrant. The government's line goes like this: Information systems in the U.S. are subject to constant and evolving cyberthreats, but organizations are unable to learn from each other's experiences because sharing information about cyberattacks may expose themselves to lawsuits from customers whose data has been revealed. If intelligence agencies had access to this data, then they could swiftly and efficiently inform the relevant organizations about impending risks, allowing them to better defend themselves.
But the holes in this line of thinking are evident. Numerous information-sharing initiatives already exist within the private sector and federal government. Government agencies have been unable to adequately inform even their own offices about known cyberthreats, so it is extremely unlikely that they will become magically more efficient when tasked with informing the nation as a whole. And computer-security experts dispute that inadequate information-sharing is a core impediment to improving the nation's cybersecurity. Meanwhile, some of the biggest CISA supporters actively attack the sort of strong encryption techniques that computer scientists advocate to actually improve cybersecurity.
CISA is not a cybersecurity bill at all, really, but a deceptive surveillance measure that will make us less secure.
The version of CISA that made it into the passed omnibus bill was even worse than the standalone versions that were so controversial in the past. It explicitly authorizes agencies to use data gathered under the guise of "cybersecurity" to prosecute individuals for unrelated crimes involving things like terrorism and intellectual-property violations. And the final text was stripped of the few privacy clauses won by civil liberties-minded legislators, such as a requirement that corporations and agencies do their best to scrub and anonymize the shared data. The final version contains no such meager measures.
What's worse, we will have no way of knowing whether our data has been shared by corporations or federal agencies because such information is immune from FOIA requests. And even if we could, we would lack any legal recourse against parties who improperly share our data.
Then there's the new data portal that CISA creates. The Department of Homeland Security (DHS) is authorized to share information gathered through CISA with intelligence agencies like the FBI and the National Security Agency (NSA), provided that it first scrubs the data of any "personally identifiable information" such as names, addresses, or financial information. But CISA also authorizes the president to create a separate data portal for intelligence agencies if the DHS system is "flawed"—which, given the DHS's history of subpar data management, is very likely to occur.
Many have compared the scale of expanded surveillance that CISA authorizes with the controversial PATRIOT Act of the post-9/11 period. Just as 9/11 terrorists were used to falsely justify bulk metadata collection, today's hackers are used to falsely justify bulk cyberthreat sharing. And as with the PATRIOT Act, legislators were given almost no time to read the hairy details before voting a new digital security state into law. Rep. Justin Amash (R-Mich.) reports that a handful of legislators drafted the final CISA text behind closed doors just hours before the vote with little to no real debate.
But say what you will about the PATRIOT Act—at least Congress was forthright about the expansion of surveillance and curtailment of civil liberties that it would entail. In the case of CISA, legislators snuck in a massive expansion of surveillance as a footnote to a major spending bill. While legislators who voted for the PATRIOT Act were at least aware of the magnitude of the changes that they authorized, it's likely that many in Congress were unaware of the CISA provisions in the omnibus bill at all, much less understood the new digital spying regime that they covertly create.
With the covert inclusion of a massive surveillance expansion in a major budget deal, we have reached a new loathsome normal. Government power is now so innocuous that not only do legislators feel comfortable stooping to these sordid tactics, they actually get away with it.