Congress’ Fix for Cyberattacks May Hand the Government More of Your Data

“This isn’t a cybersecurity bill—it’s a surveillance bill.”

iStockPhoto

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


In the wake of huge government data breaches carried out by suspected Chinese hackers—intrusions that may have exposed the records of millions of federal employees—Senate lawmakers are pushing a controversial cybersecurity bill that privacy experts say would do little to stop future breaches but would give the government access to a trove of Americans’ private information.

Dubbed the Cybersecurity Information Sharing Act, or CISA, the bill is similar to the Cyber Intelligence Sharing and Prevention Act (CISPA), a measure that stalled in the Senate in 2013 over privacy concerns. It grants private companies, including technology and telecommunications firms, legal protection if they share more data on cybersecurity threats with the government. The government currently needs a court order to obtain such material, which could include the personal information of customers. CISA would end that requirement.

Proponents of CISA say the legislation would allow companies to more easily share information on how hackers operate and what tactics they use to breach networks or accounts, which would help the government identify and stop future attacks more quickly. But privacy experts fear private consumer data may be included in the information that companies supply to the government. For example, companies might include the browsing activity of a person whose online accounts have been targeted by hackers.

“This isn’t a cybersecurity bill—it’s a surveillance bill,” says Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice. “There is absolutely no reason to think that that is going to provide any significant cybersecurity benefits.”

Cybersecurity experts also note that this legislation would do little, if anything, to thwart data breaches. “I’m not aware of a single computer security researcher or practitioner who has…gotten up and said this sort of information sharing will meaningfully reduce the likelihood of attack or the severity of breaches or any of the sorts of things you’d want to address,” says Jonathan Mayer, a computer scientist and scholar at the Center for Internet and Society at Stanford University.

Many lawmakers contend that sharing information on past attacks and intrusions would help the government stop cyberattacks, such as the recent hacks on the Office of Personnel Management, in which the records of at least 4.2 million government workers were compromised. The records included the sensitive data collected from intelligence workers during background investigations.

Sen. Richard Burr (R-N.C.) and Sen. Dianne Feinstein (D-Calif.), the chair and ranking member of the Senate Intelligence Committee, have both cited the hacks as one reason the government needs more information from the private sector.

“The recent cyber breach at the Office of Personnel Management was a serious attack on our government and we cannot continue to have citizens’ personal information needlessly exposed to foreign adversaries and criminals,” Burr, the bill’s sponsor, said in a statement last week. “Not only does CISA propose a solution to help address these threats, it does so in a way that works to ensure the personal privacy of all Americans.”

But the OPM hacks appear to have taken place because of a lack of relatively basic security procedures like routine security reviews and data encryption. (At a congressional hearing on Tuesday, officials from the OPM and other federal agencies blamed outdated networks for their inability to adopt some of those measures.) CISA would not address any of the long-standing security flaws documented in an inspector general’s report on the OPM last November; the report called the agency’s security efforts a “significant deficiency.”

“It is very hard to believe, in many of the high-profile instances [of hacking], that a legislative approach like CISA would have prevented the breach—would have even meaningfully increased the speed with which the breach was identified,” says Mayer, the Stanford fellow.

In an email to Mother Jones, an intelligence committee aide noted that “the bill isn’t intended to end all cyberattacks, but rather to reduce successful attacks in the future by sharing knowledge about past attacks.”

Experts disagree on whether personal data may be shared in the process. Goitein, of the Brennan Center, says CISA “allows the government to pressure phone companies into turning over huge amounts of their customer data on a vague suspicion of a cyber threat. It’s going to be full of personally identifiable information on the customers.” But Daniel Castro of the Information Technology and Innovation Foundation notes the information will mostly relate to technical details of internet traffic. “It’s not going to be really content based, in terms of ‘somebody said something,'” he says.

Both he and Mayer point out that private companies already engage in information sharing under current laws, which place much tighter constraints on the kind of data that can be released without a court order. Mayer argues that CISA’s looser restrictions are unnecessary. “I haven’t seen anyone point to a bundle of information that a business couldn’t have shared under [the Electronic Communications Privacy Act],” he says.

While the Senate rejected an attempt by Senate Majority Leader Mitch McConnell (R-Ky.) to attach CISA to last week’s defense authorization bill, it will likely enjoy broad support as stand-alone legislation, especially in the wake of the OPM debacle. The Senate Intelligence Committee passed CISA overwhelmingly in March, and the House of Representatives has already approved a version of it. Senators may take up CISA again after coming back from their summer recess.

Regardless of when the bill returns, civil liberties and privacy groups say they’ll fight CISA’s passage. Goitein warns that “if the American public lets Congress pass this bill, we’re gluttons for punishment. We’re just asking the government to donate more of our data to the Chinese government or whoever else is trying to hack into it.”

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate