Is new Cybersecurity Legislation about Security or Snooping?

The updated Cybersecurity Information Sharing Act (CISA) easily passed through the Senate Intelligence Committee by a vote of 14-1. This is the fourth consecutive year that Congress will attempt to pass cybersecurity legislation.

Is this bill truly about cybersecurity, or is Congress trying to make it easier for the federal government to collect private data from Americans? Privacy advocates and security proponents are engaged in a fierce debate over that question.

CISA’s intent is to make it easier and safer for private companies to share data about potential cyber threats with the federal government. Proponents of the bill call it a step in the right direction for preventing cyberattacks, such as the recent hack of Sony.

But many people aren’t buying that narrative. Senator Ron Wyden (D-OR) was the lone vote against the bill in the Intelligence Committee. He sees CISA as “a surveillance bill by another name.” The Open Technology Institute (OTI) echoed his conclusion, arguing that “CISA’s broad authorization of indiscriminate information-sharing would open the digital floodgates and give the NSA access to much more of Americans’ personal internet data.”

Lawmakers such as Senator Dianne Feinstein (D-CA) reject the privacy advocates’ accusations. Senator Feinstein made her case for the bill clear: “The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats—NOT personal information—in order to better defend against attacks.”

Despite her assurances against government snooping, privacy advocates noticed something important about CISA. The draft text already allowed data to be shared for counterterrorism purposes, but during the markup lawmakers added an additional scenario for data sharing—for “serious economic harm.”

CISA opponents are worried that the bill is littered with vague language that will give authority to federal agencies to gather private data on innocent Americans. Even though lawmakers say that a dozen amendments were added to the text to protect private data from government abuse, Greg Nojeim at the Center for Democracy and Technology says, “The law enforcement use permissions are still broad enough to make the bill as much about surveillance as it is about cybersecurity.”

CISA was placed on the legislative calendar on March 17. A vote could come up as soon as the first week in October.