By Jumana Musa, Sr. Privacy and National Security Counsel at the National Association of Criminal Defense Lawyers
With every news story of a database breached comes a steady drum beat of demands for more cybersecurity. This demand has taken shape in the Senate as the Cybersecurity Information Sharing Act (CISA) and seems poised for a vote by the full Senate. Debated and approved by the Senate Intelligence Committee in a closed door meeting without public scrutiny, the measure would go far beyond its stated purpose in stopping cyberattacks. Civil society groups have opposed the bill, which Senator Ron Wyden (D-Ore.) called a "surveillance bill by another name."
The bill allows for the broad sharing of information with government agencies – both civilian and military – to be used to investigate a broad range of criminal activity unrelated to cybersecurity. CISA authorizes companies to monitor Internet users' activities in order to identify a cybersecurity threat to any entity anywhere, even if such monitoring would otherwise be illegal under a privacy law. Since the information is voluntarily turned over to the government by private entities, this bill would act as a general warrant, all but eviscerating Fourth Amendment protections against unreasonable searches and seizures.
The bill authorizes federal, state, and local governments to use cyber threat indicators to investigate crimes that have nothing to do with cybersecurity, such as robbery, arson, and carjacking, as well as identity theft and trade secret violations. Additionally, CISA authorizes companies to share information, including personal and identifying information, with the government for any purpose authorized under the Act, which means that companies could share information for the purpose of investigating these unrelated crimes. While these crimes are serious, there is no justification for undermining the legal protections that currently apply when such investigations are underway.
Tech experts have laid out several ways that the government could act to protect itself and companies from cyber threats that don't include turning over vast amounts of private records with no legal protection. Congress should not exploit the very real concern of cyberattacks to allow government agencies to investigate and prosecute people without having to comply with the formal protections that were put in place over 200 years ago. When it comes to protecting against cyber threats, CISA is like the emperor's new clothes. Merely stating that the bill is not a surveillance bill does not make it so. If Congress ignores the facts and passes the bill, the President should veto this measure, as he threatened to twicebefore on similarly flawed bills.