Congress’s Cybersecurity Plan Has Some Major Flaws


After being flooded with millions of faxes and phone calls, the U.S. Senate postponed voting on the controversial cybersecurity bill that privacy advocates warn could be a backdoor to more government surveillance.

Congress punted the Cybersecurity Information Sharing Act (CISA) vote to September after privacy groups protested the bill, which cements a voluntary relationship between private companies and the government, amid concerns that it would unnecessarily put customers’ personal information at risk.

“Information sharing can be valuable…however, without vigorous robust privacy safeguards will not be considered by millions of Americans to be a cybersecurity bill,” Sen. Ron Wyden (D-OR) said in a floor speech opposing the bill Wednesday. “Millions of Americans will say that legislation is a surveillance bill.”

Civil liberties groups including the Electronic Freedom Foundation (EFF), New America, and American Civil Liberties Union (ACLU) urged the public to call their senators to persuade them to vote against, what even the Department of Homeland Security has deemed, a flawed bill with more than 20 proposed amendments.


But while Congress is officially on summer vacation, the Senate will still have to face those flaws and hard questions on how to properly balance privacy and security. ThinkProgress talked to Gabe Rottman, the ACLU’s cybersecurity and privacy counsel, to get a look at the top privacy problems senators will face when they get back.

CISA May Violate Current Privacy Laws

One complaint privacy advocates have is that CISA, as written, undercuts existing privacy laws that give citizens power to hold companies responsible for any digital recklessness.

“Private companies receive broad new legal protections for sharing personal information with the government, when such sharing could potentially violate existing privacy law,” Rottman said of the bill.

What could be worse, he said, is the companies who voluntarily participate, “do not have to aggressively strip out personal information unrelated to the threat. They have to review cyber threat indicators for information that they know at the time of sharing is not directly related to the cybersecurity threat and remove it. The problem is ‘know at the time’ that it’s not directly related. In a lot of cases, entities won’t ‘know’ whether the information is related at all.”


For example, a phishing email, those sent from seemingly familiar senders such as a bank or former place of work, sent to different people widens the net cast by companies and the government for catching any communications that are potentially “directly related” to the original phishing email.

“Cybersecurity threats are so varied that a large amount of [personal identifying information (PII)] could be deemed directly related or at least arguably directly related, meaning that an entity is not going to know with certainty that [a communication] not directly related and will leave it in,” Rottman said.

“The bottom line is that most entities are just not going to have enough information to ‘know’ at the time of sharing whether a particular personally identifiable data point is related or not to the threat…many will just overshare.”

Companies — Not Individuals — Would Control Sensitive Information

After Senate Majority Leader Mitch McConnell (R-KY) announced the delay of the CISA vote Wednesday, Wyden echoed the sentiments that caused activists and ordinary citizens to send north of 6 million faxes denouncing the bill.

“It prevents Americans from suing companies for losing their data,” he said, noting CISA would permit companies to share customers’ personal details, including email contents, financial information, and any electronically stored data. “It is voluntary for the companies but for the citizens…across the country it’s not voluntary. For them, this legislation is mandatory.”


Rottman agreed, saying the bill would permit private companies to share otherwise sensitive and heavily guarded information in the name of cybersecurity: “The growing volume of sensitive information will make the government databases even more tempting targets for cyberspies or criminals, which will harm cybersecurity.”

Even Homeland Security Has Concerns

The federal agency charged with guarding the country’s and its citizens digitally and physically said CISA’s framework could “contribute to the compromise of personally identifiable information by spreading it further,” according to a letter the agency sent to Sen. Al Franken (D-MN) last week. “While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language as currently written would complicate efforts to do so.”

The bill is similar to a previous volunteer-led effort launched in 2014 where major retailers including Safeway, Walgreens, and Nike formed an alliance with the Department of Homeland Security, Federal Bureau of Investigation, the Secret Service to share real-time threat information through a central intelligence-gathering system.

Under normal circumstances, Rottman pointed out, DHS would “conduct a second sweep of the information to remove any PII that got through. Under the bill, it is not allowed to do so, and it must automatically share the information with the National Security Agency and other intelligence and law enforcement agencies.”

That information is then “used to detect, investigate and prosecute a variety of non-cyber-related crimes,” including those that fall under the Espionage Act — legislation that has been the crux of many national security investigations and government whistleblower cases.

It Wouldn’t Prevent The Most Egregious Hack Attacks

Most importantly, advocates proclaim the bill wouldn’t do anything to preclude breaches, including China’s enormous attack on the Office of Personnel Management, health records breaches, the notorious Sony hack, or bad digital hygiene.

Robyn Greene, policy counsel for the New America Foundation’s Open Technology Institute, agreed, tweeting the breaches that wouldn’t have been prevented based on CISA’s language.

But we’ll just have to wait until after Labor Day to see if Congress agrees.