U.S. lawmakers and tech companies may see eye to eye on a lot of things, but their disagreement over the CISA cybersecurity bill is a reminder of how far apart Silicon Valley and Washington, D.C., can be when it comes to Internet privacy.
The Senate is expected to take its final vote on the Cybersecurity Information Sharing Act on Tuesday. Its ostensible idea is to help “improve cybersecurity in the United States” by encouraging companies to share information about cybersecurity threats with the government.
But the tech industry views the bill as a barely disguised surveillance law that would give national spy agencies another tool to pick through Americans’ private data. And despite giving more than $117 million to political campaigns last year, that’s not going to help tech companies stop a bill that has bipartisan support in Congress and the backing of the White House.
The government has proven to be embarrassingly inept when it comes to securing personal data.
This isn’t the first or last clash between the political establishment and the tech industry over government’s proper role in safeguarding privacy and cybersecurity.
Snowden and privacy
When Edward Snowden exposed the unchecked extent of the government’s spying activities, U.S. Sen. Dianne Feinstein (D-Calif.) blasted the former National Security Agency contractor as a traitor.
“I don’t look at this as being a whistleblower,” the chairwoman of the Senate Intelligence Committee told reporters at the time. “I think it’s an act of treason.”
Feinstein’s voice echoed widely. You heard a similar refrain from soon-to-be-former House Speaker John Boehner (R-Ohio) and other Congressional leaders demanding that the government extradite Snowden and haul him before a judge.
With the notable exception of Netscape co-founder and tech investor Marc Andreessen, who agreed with Feinstein about Snowden, Silicon Valley directed most of its anger at Uncle Sam for letting the NSA run wild. Microsoft’s chief counsel spoke for many fellow tech executives when he described the government’s snooping as “an advanced persistent threat,” a term usually applied to a cyberattack sponsored by a nation-state.
This wasn’t just about philosophy: Billions of dollars were at stake. The revelations led to Microsoft losing customers, including the government of Brazil. Meanwhile, the tech industry as a whole braced for blowback and expected losses between $35 billion by 2016 to as much as $180 billion.
‘We’re from the government and here to help’
Critics are right to fear that CISA could lead to unintended disclosure or misuse of user information. The government has proven to be embarrassingly inept when it comes to securing personal data. Consider the massive breaches at the IRS and the Office of Personnel Management just months ago.
And what happens when foreign state-sponsored actors attempt get their hands on sensitive cyberthreat information stored in a poorly secured federal agency? They’ll waltz off with invaluable information they can use to adjust cyberattack strategies to bypass U.S. defenses.
But CISA would ensure that companies turning over information that winds up exposed won’t have to worry about getting sued; through the bill, Uncle Sam is offering legal immunity to firms that voluntarily share cyberthreat details with the Department of Homeland Security.
Apple, Facebook, and Google lead a list of 22 tech companies that publicly oppose CISA. Other major computer and Internet companies working through the Computer and Communications Industry Association also say the bill is a terrible idea.
CISA is indicative of the sort of tone-deaf government policymaking guaranteed to lead to tech industry fits.
At last count, the bill included more than 20 amendments. The worst came from Sen. Sheldon Whitehouse, who wants to expand the scope of the ill-considered Computer Fraud and Abuse Act, which already makes it illegal for someone to intentionally access a computer without authorization or in excess of authorization.
It’s anyone’s guess what “without authorization” really means. Privacy and civil-liberties groups note that the ambiguities in CISA would open the door to disproportionate penalties for low-level computer crime. If Whitehouse’s amendment remains, and CISA passes, the government would have broader authority to use the computer fraud laws that led to the prosecution of activist Aaron Swartz.
A brilliant programmer and privacy advocate, Swartz faced federal charges that could have sent him to prison for 35 years. Swartz’s crime? He used MIT’s computer network, without authorization, to download millions of articles from the online archive Jstor.
Swartz, who suffered from depression, later hanged himself in his apartment.
Where’s the rewrite department?
The hired help on Capitol Hill should have expected blowback. Silicon Valley was bred on a culture of antisecrecy liberalism, and CISA is indicative of the sort of tone-deaf government policymaking guaranteed to lead to tech industry fits.
There’s legitimate reason to worry about giving the government more power to access personal information. We’ve long passed the point where people automatically trust the government to do the right thing, when it comes to cybersecurity and privacy.
We can cross our fingers and hope that the federal government makes sure not to overstep its prerogative. But when it comes to privacy and the Internet, Uncle Sam has proved that it’s simply unable to resist temptation.