It seems we can rarely have a definitive win when it comes to certain things, and the surveillance state is one of those things. We beat the Cyber Intelligence Sharing and Protection Act last year, but this year it's back—without the "Protection"—as the Cybersecurity Information Sharing Act (CISA) now. Senate Democrats
blocked Mitch McConnell from trying to attach the bill to the defense authorization bill last week, but that was a temporary stay. The bill is coming back, with intelligence hawks like Sens. Dianne Feinstein (D-CA) and Richard Burr (R-NC) hoping they can use the hacking of federal workers information to
push it through.
[The legislation] grants private companies, including technology and telecommunications firms, legal protection if they share more data on cybersecurity threats with the government. The government currently needs a court order to obtain such material, which could include the personal information of customers. CISA would end that requirement. […]
[P]rivacy experts fear private consumer data may be included in the information that companies supply to the government. For example, companies might include the browsing activity of a person whose online accounts have been targeted by hackers.
"This isn't a cybersecurity bill—it's a surveillance bill," says Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. "There is absolutely no reason to think that that is going to provide any significant cybersecurity benefits." […]
Experts disagree on whether personal data may be shared in the process. Goitein, of the Brennan Center, says CISA "allows the government to pressure phone companies into turning over huge amounts of their customer data on a vague suspicion of a cyber threat. It's going to be full of personally identifiable information on the customers." But Daniel Castro of the Information Technology and Innovation Foundation notes the information will mostly relate to technical details of internet traffic. "It's not going to be really content based, in terms of 'somebody said something,'" he says.
The very fact that the legislation does not draw a bright line around preventing the transfer of personal data is your first clue that this is not the best Congress could do in crafting a bill. What's more, having something like it in place would not have prevented the hacking of the Office of Personnel Management system, as its proponents are now claiming. The problem for OPM—highlighted in a
hearing this week—is that they have antiquated systems which are too old to even use updated encryption and security protections. The first priority for Congress in preventing another breach of a federal system should be making sure agencies and departments actually have adequate funding to do things like update their systems.