Digital War Desk: Senate Passes Overnight Cybersecurity Bill

Written by Jim Kelly

The cybersecurity bill CISA was passed overwhelmingly by the Senate. Bernie Sanders opposed. Here’s a full analysis of what’s at stake.

aNewDomain — In the midst of the raging policy debate between governmental security controls and citizens’ privacy interests, the U.S. Senate passed the complex and controversial Cybersecurity Information Sharing Act (CISA) in a 74-21 vote on Monday, October 27, 2015. Parts of the traditional media community, like Wall Street Journal and the Washington Post, supported the cybersecurity bill in its op-ed pieces Tuesday.

CISA grants the government sweeping powers over Americans’ personal and sensitive information to enhance timely communications of cyber-threat intelligence in the public and private sectors. It stands as a very specific step in the nation’s escalating cyber warfare with domestic and foreign powers, including nation-states and ISIL.

cybersecurity bill codeThe Congressional Research Service wrote a paper, “Cybersecurity and Information Sharing: Legal Challenges and Solutions,” which begins by stating, “Over the course of the last year, a host of cyberattacks has been perpetrated on a number of high profile American companies.”

To regain control of the digital battlefield, CISA provides legal immunity to tech companies so that they can share personal information of their customer base and anonymized corporate intelligence with the Department of Homeland Security (DHS). This will, in theory, help to combat overseas cyber threats against corporations and breaches of the nation’s infrastructure — including energy, aerospace, banking, commerce, pharmaceutical and nuclear industries.

Specifically, CISA allows corporations to share vast intel and user data with the DHS and would have complete immunity from Freedom of Information Act (FOIA) discovery requests and regulatory action involving the data the companies share. DHS would be authorized to disseminate users’ personal information throughout the vast patchwork of government intelligence and law enforcement networks.

The legislative measure has been viewed as overreaching and invasive. It has drawn overwhelming opposition among internet privacy groups, progressive academia and civil liberties groups favoring privacy over violative security and control. Former NSA whistleblower Edward Snowden claimed the bill was another surveillance device to spy on Americans and jeopardizes the future of the Internet. On Twitter, Snowden stated that “a vote for Cisa is a vote against the internet.”

Majority Leader Mitch McConnell (R-Ky.) claims that passage of the bill constitutes the “key to defeating cyberattacks and protecting the personal information of the people we represent.”

Bernie Sanders And High-Tech Industry Oppose CISA

ted rall talks to bernie sandersWith a hotly contested Democratic presidential race under way, Bernie Sanders voted against the bill. None of the Republican presidential candidates casted a vote (except for Lindsey Graham, who voted in favor,) including Rand Paul, who once strongly emphasized his libertarian platform that supports privacy in the face of government surveillance. The measure is on track to reach President Barack Obama’s desk and will likely be signed into law after additional legislative conferencing and mark-ups in the House.

The Princeton Center for Information Technology Policy petitioned the Senate in advance of the vote in an open letter, urging the body to block the bill. The letter claims that CISA is fundamentally sabotaging FOIA, trumping hard-won regulatory antitrust and destroying the restraint of trade practices law that was historically legislated during Teddy Roosevelt’s administration to “even the playing field” in favor of fair competition in an open marketplace.

Indeed, many IT professionals expressed in a recent survey their “anti-competitive concerns” and keen interest to “opt-out” of information-sharing programs as anticompetitive business conduct that strikes at the heart of federal antitrust law. (Sherman Act, see 15 U.S.C. §§1-7; Wilson Tariff Act, §§8-11; Clayton Act §§12-27; and Federal Trade Commission Act, §45.)

The Princeton IT consortium group wrote in its correspondence to Congress:

The Freedom of Information Act would be neutralized, while a cornucopia of federal agencies could have access to the public’s heretofore private-held information with little fear that such sharing would ever be known to those whose information was shared.”

tim cook cybersecurity billProminent tech companies Apple, Twitter, reddit, Wikepedia and Yelp collectively opposed CISA. In particular, Apple strongly voiced its dissent, stating, “We don’t support the current CISA proposal … The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”

Some industry observers don’t believe that CISA will benefit the private sector — which is much further down the road than the government — but antitrust and trade regulation and FOIA immunity are valuable in international commerce. Such immunity will let companies avoid possible civil and criminal liability. Fixing the patchwork internally within the industry, according to researcher Brian Krebs of Krebs on Security, is a better bet to enhance security.

The Real Reason The High-Tech Industry Opposes CISA: Intellectual Property

While many of the tech companies oppose CISA due to “privacy concerns,” their greater self-interest involves avoidance of sharing their intellectual property with the government at the risk of “giving away” their propriety IT software systems.

According to Teka Thomas, a federal contracting attorney at the Paxton Law Group in Washington, D.C., in a white paper entitled, “Silicon Valley’s Guide to the Pentagon,” Thomas warns that ventures into the defense market carry potential pitfalls regarding protection of intellectual property, such as patents and copyrights.

Sean Varah, the CEO of MotionDSP, said about working with the government:

When we work with defense primes, we write a piece of connecting code that connects our commercial software to a government system. Then we give them the rights to the connector. That’s how we work with the government.”

Further, private industry vendors in government procurement projects may place intellectual property into the hands of prime contractors, which may monopolize any further work with the government — and the private vendor providing the unique IP may never see a penny at the end of the day for the government’s use of the vendor’s proprietary tech.

Interestingly, in the course of CISA’s legislative odyssey, this powerful high-tech ensemble of industry giants was supposedly joined by the powerful trade group, The Computer & Communications Industry Association (CCIA), a lobbyist for Facebook. But the social media giant has been accused of playing both sides of the fence in this long six-year legislative march.

cybersecurity bill (ILLUSTRATION) An illustration dated 23 January 2012 shows the silhouette of a man in front of a screen with the logo of the online network Facebook in Hanover, Germany. Facebook is being criticized again and again for data privacy. Most recently, Facebook has introduced the Timeline, with which Facebook users can share moments of the entire life with other internet users online. Photo: Julian Stratenschulte -ALLIANCE-INFOPHOTO

Digital rights advocacy group, Fight for the Future, is seeking pledges from tech companies to refrain from sharing information with the government. It claimed that Facebook was privately lobbying for CISA.  “Facebook lobbyists are working behind the scenes to get it passed,” the group said, although Facebook denied the report and pledged that the company will not voluntarily comply with CISA.

Fight for the Future shot back, “Facebook, are you backstabbing the Internet?” according to a petition targeting the social media juggernaut. “Come clean on CISA now.” However, consistent with Facebook founder Mark Zuckerman’s quest for privacy and personal solitude, the company currently has posted that its users will be notified of outside surveillance measures against individual user accounts in its threat-sharing forum.

Meanwhile, Microsoft and Google stood silently on the sidelines of the bill – although their trade associations expressly opposed CISA.

It’s no coincidence that the momentum of the slow-plodding bill finally gained traction after the infamous and Sony cyber hack and the colossal hacks on the Office of Personnel Management (OPM) earlier this spring. These attacks, among the other well-publicized cyber attacks on Target, eBay, Home Depot, J.P. Morgan-Chas, and Anthem, all stoked up concern for cybersecurity and helped the bill to come to fruition.

Notably, co-sponsors Sen. Richard Burr (R-N.C.) and Sen. Dianne Feinstein (D-Ca.) quashed invasion-of-privacy dissenters in the digital and civil liberties community on the issue of notification of surveillance and private citizens’ information. This presented a major political and legal challenge given the variety of “state and federal privacy laws governing the collection, storage, use, and dissemination of electronic information,” including the Electronic Communications Privacy Act of 1986 (ECPA) and The Wiretap Act, which provides for criminal and civil damages against anyone who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept” any covered electronic communication.

In this connection, leading CISA critic Sen. Ron Wyden (D-Ore.) and his privacy allies are adamant in their crusade to refine the bill in the House. They hope to lock in stringent privacy mechanisms in the complex and technical legislation.

Firewall: Protecting the Nation’s Valuable Assets

Industry groups, the White House and bipartisan coalitions have framed this brief “victory” with CISA as a first-step voluntary measure to enhance current cyber defense for the private sector and government. This is in direct opposition to the claims and efforts of NSA whistleblower Edward Snowden, who adamantly stands against invasion of privacy by the government.

Financial and telecommunication industries were also pleased with the passage of CISA. The Telecommunications Industry Association stated that CISA,

(B)olsters our cyber defenses by providing the liability protections needed to encourage the voluntary sharing of cyber threat information … and urge Congressional leaders to act quickly to send this bill to the president’s desk.”

But the overwhelming vote comes as a surprise to many. Norma Krayem, who serves as co-chair on the Data Protection and Cybersecurity division at the powerhouse Holland & Knight law firm, said, “Two weeks ago, no one I talked to believed me when I said the bill would come to the floor.”

The irony and perhaps hypocrisy of the entire cyber debate over privacy among politicians is that the presidential campaigns are using exploitative data mining and sophisticated analytics programs to court voters. This constitutes a serious threat to voter privacy — a “thousand points of light” strategy of data analysis to peer into your personal life about online activities.

As George Carlin once quipped, “Never underestimate the power of stupid people in large groups.”

For aNewDomain, I’m .

Images in order: U.S. Capitol Building via Wikimedia Commons; Code Hacker via Pixabay; Bernie Sanders screenshot courtesy; Tim Cook via Wikimedia Commons; Facebook screenshot courtesy The Imaginative Conservative