Lee Fang
The Intercept [1]
April 2, 2015
Since November 11, 2011, with the introduction [2] of the Cyber Intelligence Sharing and Protection Act, American spy agencies have been pushing laws to encourage corporations to share more customer information. They repeatedly failed, thanks in part to NSA contractor Edward Snowden’s revelations of mass government surveillance. Then came Republican victories in last year’s midterm Congressional elections and a major push by corporate interests in favor of the legislation.
Today, the bill is back, largely unchanged, and if congressional insiders and the bill’s sponsors are to believed, the legislation could end up [3] on President Obama’s desk as soon as this month. In another boon to the legislation, Obama is expected to reverse his past opposition and sign it, albeit in an amended and renamed form (CISPA is now CISA, the “Cybersecurity Information Sharing Act”). The reversal comes in the wake of high-profile hacks on JPMorgan Chase and Sony Pictures Entertainment. The bill has also benefitted greatly from lobbying by big business, which sees it as a way to cut costs and to shift some anti-hacking defenses onto the government.
For all its appeal to corporations, CISA represents a major new privacy threat to individual citizens. It lays the groundwork for corporations to feed massive amounts of communications to private consortiums and the federal government, a scale of cooperation even greater than that revealed by Snowden. The law also breaks new ground in suppressing pushback against privacy invasions; in exchange for channeling data to the government, businesses are granted broad legal immunity from privacy lawsuits — potentially leaving consumers without protection if companies break privacy promises that would otherwise keep information out of the hands of authorities.
Ostensibly, CISA is supposed to help businesses guard against cyberattacks by sharing information on threats with one another and with the government. Attempts must be made to filter personal information out of the pool of data that is shared. But the legislation [4] — at least as marked up by the Senate Intelligence Committee — provides an expansive definition of what can be construed as a cybersecurity threat, including any information for responding to or mitigating “an imminent threat of death, serious bodily harm, or serious economic harm,” or information that is potentially related to threats relating to weapons of mass destruction, threats to minors, identity theft, espionage, protection of trade secrets, and other possible offenses. Asked at a hearing in February how quickly such information could be shared with the FBI, CIA, or NSA, Deputy Undersecretary for Cybersecurity Phyllis Schneck replied, “fractions of a second.”
Jedi Command 