Senate Majority Leader Mitch McConnell (R-KY) announced today that there would be an effort to attach the Cybersecurity Information Sharing Act, CISA (S. 754) to the Defense Authorization bill that is now on the Senate floor. This move would almost certainly stifle necessary debate on the privacy and civil liberties problems in the bill and thwart amendments that Senators have been crafting to address those problems. While the Senate Intelligence Committee reported the bill by a substantial margin, some of the Senators on the Committee who voted for the bill did so with the understanding that there would be an opportunity to consider additional amendments on the floor. That opportunity is now at risk, as is the first public debate on the bill, which was marked up in a closed session. Though CISA includes some improvements adopted at the Committee mark up, the bill would:
- Authorize companies to share cyber threat indicators (CTIs) with many agencies in the federal government, including the NSA, and require that any cyber threat indicators a company shares with the Department of Homeland Security (DHS) be immediately shared with multiple other federal agencies, including the NSA and other elements of the Department of Defense (DOD), creating operational confusion and discouraging the very information sharing it would be enacted to foster;
- Risk turning the cybersecurity program it creates into a back door wiretap by authorizing sharing and use of cyber threat indicators for law enforcement purposes that have nothing to do with cybersecurity;
- Fail to effectively require that personally identifiable information not necessary to describe a cybersecurity threat be removed from a CTI before the CTI is shared;
- Pre-empt the federal anti-hacking statute and authorize broadly-defined cybersecurity countermeasures on one network that damage another network or information stored on such network, encouraging reckless conduct that runs counter to the cybersecurity purpose of the bill; and
- Fail to affirmatively address the cybersecurity-related conduct of the NSA that undermines cybersecurity, including the stockpiling of “zero day” vulnerabilities in technology products instead of revealing them to the makers of those products so the vulnerabilities can be addressed.
These are significant problems and they warrant substantive debate, not just a cursory debate on the bill as an amendment to a larger bill. We encourage members of the Senate to insist on an opportunity to have that debate and consider amendments to CISA, and to oppose the effort to attach CISA to the Defense Authorization Act.