This Bill Won’t Protect You From Hackers


Like a bad horror movie villain, the Cybersecurity Information Sharing Act (CISA) is poised to come back again in the U.S. Senate in the coming weeks.

But despite this bill’s name, a broad range of cybersecurity experts agree: CISA will do little to protect you from hackers, and it may even make things worse.

Top 3 Ways CISA is Bad News:

  1. Reduced liability for companies means fewer incentives to keep your information private.
  2. The government can’t keep its own data safe. Giving more of your information to the government creates a huge new target for hackers.
  3. Most major tech companies already share this information. And that sharing doesn’t do much to stop sophisticated attacks.

Take it from the experts (not from Congress)

Access

“In exchange for incredibly broad liability protections (read: immunity) for dangerous disregard of their users’ privacy, many corporations are willing to turn over that same private information to the U.S. government. They call it information sharing, and this week the U.S. Senate is rumored to consider legislation called “Cyber Information Sharing Act,” or CISA.”

Center for Democracy and Technology

“Under CISA, personal data could be instantly distributed to over half a dozen federal departments without adequate privacy protections, and would then be vulnerable if computer networks in any of these entities were breached.”

Open Technology Institute

“Despite increasing doubts about whether information-sharing legislation could have prevented an Anthem, Sony or Home Depot-style hack, CISA’s proponents insist that passing cybersecurity legislation is the single most important way to enhance cybersecurity. However, the bill’s primary effect will be to increase cyber-surveillance.”

65 technologists and cybersecurity experts

“Waiving privacy rights will not make security sharing better … Further, sharing users’ private information creates new security risks … This excess sharing will not aid cybersecurity, but would significantly harm privacy and could actually undermine our ability to effectively respond to threats.”

Passcode’s Influencers Poll

“In the wake of several high-profile cyberattacks, President Obama pushed a plan to increase the exchange of information about threats between the private sector and the government. Even if it passes Congress, however, 87 percent of Passcode’s Influencers say this initiative will not significantly reduce security breaches.”

Jennifer Granick Director of Civil Liberties at the Stanford Center for Internet and Society

“Good security is supposed to keep your information safe. But these laws will make your private emails and information vulnerable.”

Patrick Eddington

“As the recent OPM breach demonstrated, the vulnerability of federal systems is our greatest cyber Achilles’ heel — and allowing the sharing of inadequately protected personally identifying information (PII) from the private sector to the federal government will make that vulnerability worse.”

ACLU

“Not only would you have a one-stop shop for government worker information, you would have a new trove of personal information about all of us, held in what have proved to be tempting and vulnerable targets for the baddest of actors.”

EFF

“Legislation that focuses exclusively on facilitation of information sharing, such as CISPA and CISA, jeopardizes the foundation of cybersecurity by improperly pitting human rights against security.”

Robert Graham

CISA will lead to sharing of more false positives than real threat information. Skilled hackers, he says, know how to evade intrusion prevention systems, intrusion detection systems, firewalls, and antivirus software. Meanwhile, most data alerts from systems shared under CISA will be false alarms.

“Companies like IBM and Dell SecureWorks already have massive ‘cybersecurity information sharing’ systems where they hoover up large quantities of threat information from their customers,” Graham wrote in a blog post Wednesday. “This rarely allows them to prevent attacks as the CISA bill promises. In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.”

CCIA — (representing Facebook, Google, Amazon, Microsoft and other major tech companies):

“CCIA recognizes the goal of seeking to develop a more robust system through which the government and private sector can readily share data about emerging threats. But such a system should not come at the expense of users’ privacy, need not be used for purposes unrelated to cybersecurity, and must not enable activities that might actively destabilize the infrastructure the bill aims to protect.”

American Library Association

ALA is concerned that not only will CISA not be effective in thwarting cyberattacks, but it de facto grants broad new mass data collection powers to many federal, as well as state and even local government agencies.

Wikimedia

We believe in fighting for our users privacy and security. That’s why we oppose #CISA, a bill that endangers both.”

Yelp

“Congress is trying to pass a ‘cyber security’ bill that threatens your privacy.”

Salesforce

At Salesforce, trust is our number one value and nothing is more important to our company than the privacy of our customers’ data. … Salesforce does not support CISA and has never supported CISA.”

BSA (Business Software Alliance)

“… BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act (CISA), the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity and Communications Integration Center (NCCIC) Act.”
“BSA has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress.
We will continue to work with the Congress, others in industry and the privacy community to advance legislation that effectively deals with cyber threats, while protecting individual privacy.”

Follow #StopCISA for updates.