Congress’ Fix for Cyberattacks May Hand the Government More of Your Data

“This isn’t a cybersecurity bill—it’s a surveillance bill.”

iStockPhoto

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


In the wake of huge government data breaches carried out by suspected Chinese hackers—intrusions that may have exposed the records of millions of federal employees—Senate lawmakers are pushing a controversial cybersecurity bill that privacy experts say would do little to stop future breaches but would give the government access to a trove of Americans’ private information.

Dubbed the Cybersecurity Information Sharing Act, or CISA, the bill is similar to the Cyber Intelligence Sharing and Prevention Act (CISPA), a measure that stalled in the Senate in 2013 over privacy concerns. It grants private companies, including technology and telecommunications firms, legal protection if they share more data on cybersecurity threats with the government. The government currently needs a court order to obtain such material, which could include the personal information of customers. CISA would end that requirement.

Proponents of CISA say the legislation would allow companies to more easily share information on how hackers operate and what tactics they use to breach networks or accounts, which would help the government identify and stop future attacks more quickly. But privacy experts fear private consumer data may be included in the information that companies supply to the government. For example, companies might include the browsing activity of a person whose online accounts have been targeted by hackers.

“This isn’t a cybersecurity bill—it’s a surveillance bill,” says Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. “There is absolutely no reason to think that that is going to provide any significant cybersecurity benefits.”

Cybersecurity experts also note that this legislation would do little, if anything, to thwart data breaches. “I’m not aware of a single computer security researcher or practitioner who has…gotten up and said this sort of information sharing will meaningfully reduce the likelihood of attack or the severity of breaches or any of the sorts of things you’d want to address,” says Jonathan Mayer, a computer scientist and scholar at the Center for Internet and Society at Stanford University.

Many lawmakers contend that sharing information on past attacks and intrusions would help the government stop cyberattacks, such as the recent hacks on the Office of Personnel Management, in which the records of at least 4.2 million government workers were compromised. The records included the sensitive data collected from intelligence workers during background investigations.

Sen. Richard Burr (R-N.C.) and Sen. Dianne Feinstein (D-Calif.), the chair and ranking member of the Senate Intelligence Committee, have both cited the hacks as one reason the government needs more information from the private sector.

“The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals,” Burr, the bill’s sponsor, said in a statement last week. “Not only does CISA propose a solution to help address these threats, it does so in a way that works to ensure the personal privacy of all Americans.”

But the OPM hacks appear to have taken place because of a lack of relatively basic security procedures like routine security reviews and data encryption. (At a congressional hearing on Tuesday, officials from the OPM and other federal agencies blamed outdated networks for their inability to adopt some of those measures.) CISA would not address any of the long-standing security flaws documented in an inspector general’s report on the OPM last November; the report called the agency’s security efforts a “significant deficiency.”

“It is very hard to believe, in many of the high-profile instances [of hacking], that a legislative approach like CISA would have prevented the breach—would have even meaningfully increased the speed with which the breach was identified,” says Mayer, the Stanford fellow.

In an email to Mother Jones, an intelligence committee aide noted that “the bill isn’t intended to end all cyberattacks, but rather to reduce successful attacks in the future by sharing knowledge about past attacks.”

Experts disagree on whether personal data may be shared in the process. Goitein, of the Brennan Center, says CISA “allows the government to pressure phone companies into turning over huge amounts of their customer data on a vague suspicion of a cyber threat. It’s going to be full of personally identifiable information on the customers.” But Daniel Castro of the Information Technology and Innovation Foundation notes the information will mostly relate to technical details of internet traffic. “It’s not going to be really content based, in terms of ‘somebody said something,'” he says.

Both he and Mayer point out that private companies already engage in information sharing under current laws, which place much tighter constraints on the kind of data that can be released without a court order. Mayer argues that CISA’s looser restrictions are unnecessary. “I haven’t seen anyone point to a bundle of information that a business couldn’t have shared under [the Electronic Communications Privacy Act],” he says.

While the Senate rejected an attempt by Senate Majority Leader Mitch McConnell (R-Ky.) to attach CISA to last week’s defense authorization bill, it will likely enjoy broad support as stand-alone legislation, especially in the wake of the OPM debacle. The Senate Intelligence Committee passed CISA overwhelmingly in March, and the House of Representatives has already approved a version of it. Senators may take up CISA again after coming back from their summer recess.

Regardless of when the bill returns, civil liberties and privacy groups say they’ll fight CISA’s passage. Goitein warns that “if the American public lets Congress pass this bill, we’re gluttons for punishment. We’re just asking the government to donate more of our data to the Chinese government or whoever else is trying to hack into it.”

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate