Congress is currently considering the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754), a bill that has serious implications for privacy and civil liberties. While the bill purportedly is designed to strengthen cybersecurity, it contains significant flaws. On Monday, July 27, ARL joined a coalition of organizations and security experts in sending a letter to President Obama asking for a pledge to veto CISA due to these concerns:
- CISA fails to protect personal information. CISA allows the sharing of vast amounts of personal data to be shared with government agencies. It allows the sharing of personal and identifying information as a default measure.
- CISA allows the use of information in investigations unrelated to cybersecurity. CISA also allows for governments to use cyber threat indicators to investigate a wide range of crimes, including those that are not related to cybersecurity, such as robbery, arson, or trade secret violations.
- CISA fails to maintain civilian control of domestic cybersecurity. CISA would permit companies that operate in the civilian sector to share cyber threat indicators with any agency of the federal government, raising serious privacy concerns.
- CISA permits countermeasures that could damage networks. CISA would allow companies to deploy “defensive measures” or “countermeasures” that could damage networks that belong to innocent bystanders, even when they would otherwise be illegal under the Computer Fraud and Abuse Act.
- CISA raises additional transparency concerns. CISA would create a new exemption to the existing list of nine exemptions under the Freedom of Information Act (FOIA).