The Lesson of CISA’s Success, or How to Fight a Zombie

IF THE ZOMBIE HORROR GENRE teaches us anything, it is never to celebrate too soon. Beware the hubris of a character who walks from the graveyard victorious, failing to anticipate an undead hand pushing up through the soil. And so it was with defeat of the Cyber Intelligence Sharing and Protection Act, or CISPA — a surveillance bill introduced under the pretext of cybersecurity, which died in the Senate in 2012. “Victory over cyber spying,” announced the Electronic Frontier Foundation. Too soon. The bill now stomps through Congress with unswerving resilience toward the president’s desk, in the form of CISA, the Cybersecurity Information Sharing Act.

Last week the Republican-controlled Senate passed CISA by a vote of 74-21. CISPA had failed in a Democratic Senate. The bills are near-identical, a disconcerting reminder that if powerful lobbies want legislation passed, opponents face a Sisyphean task in keeping the laws — with cosmetic changes and slightly altered names — off the books. When it comes to cybersecurity legislation, where populist paranoia about non-specific “cyber threats” is high and technical expertise among lawmakers is low, corporate lobbyists and government data-mongers have a persuasive upper hand. The zombie metaphor has been widely applied to CISA because the bill arose as CISPA-undead, and CISPA itself had been proposed and killed twice over. But the horror analogy goes further: CISA is lumbering, imprecise, and — like many fictional zombies — a monstrous manifestation of a popular social anxiety.

Like CISPA, CISA claims to protect against cyberattacks by enhancing information sharing between private corporations and federal government agencies. CISA supposedly protects individuals’ privacy more than CISPA would have, because the data sharing goes via the Department of Homeland Security, not directly to the National Security Agency. But it is not remotely clear that DHS will scrub private information before sharing data with other agencies, or even that it would have time to do so — near-real-time sharing with the NSA is written into the legislation. DHS itself admitted that CISA can’t and won’t protect user privacy.

NSA whistleblower Edward Snowden, among others, unequivocally calls it a “surveillance bill” — provisions that would have ensured the removal of personal identifying data from the information companies and the government could share were struck down. Under the dangerously vague rubric of a potential “cyber threat,” the bill could allow immediate sharing of our data — including names, search histories, addresses — between firms and the government. It is the very meaning of a surveillance state: a corporate-government nexus under which no personal data is shielded. The CISA bill will now head to the House, where it will be reconciled with two similar cybersecurity bills already passed there — the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act. Privacy advocates have little to be hopeful for in this process. The Senate bill is very similar to the House bills; few differences need negotiating, and the Republican House is unlikely to take issue with the Senate-approved CISA.

The passing of some sort of cybersecurity bill was a fait accompli for the Obama administration for some time. As Mark Jaycox, a legislative analyst for EFF, told The Intercept, “The President put a lot on the line with regards to cybersecurity.” Major hacks on the government’s Office of Personnel Management, Sony, JPMorgan, and Target made headlines and bolstered corporate and government demands for legislative action. Little wonder the president stood behind CISA; his threat to veto CISPA was before those high-profile attacks. CISA’s passage through the Capitol illustrates the emptiness of simply wanting to see “action,” combined with the sly maneuvering of corporate lobbyists.

Dozens of cybersecurity experts have pointed out that, privacy rights aside, CISA is a bad bill in terms of actually preventing attacks like those carried out against OPM and the breached private-sector companies. The precise cause of the Sony hack has not been made public, but intelligence experts have said evidence points to an inside job, and other speculated scenarios, such as an attack by North Korean hackers, would not have been prevented by CISA. Meanwhile, the hack at JPMorgan was made possible due to an un-updated server; information sharing would not have intervened here. The OPM attack related to weaknesses in system security; information sharing also would not have prevented that breach. The Target hack appears to have been the case of a person installing malware, which Target security experts missed.

“Instead of proposing unnecessary privacy-invasive bills, we should be collectively tackling the low-hanging fruit. This includes encouraging companies to use the current information-sharing regimes immediately after discovering a threat,” EFF’s Jaycox wrote. He added that instead of something like CISA, “companies must persistently educate end users since it’s well-known that many security breaches are due to uneducated employees downloading malware.”

A letter penned to the Senate by 65 security experts, academics, technologists, and privacy advocates detailed how the information sharing proposed in CISA could actually create further security risks for companies. “Waiving privacy rights will not make security sharing better,” they wrote. “Further, sharing users’ private information creates new security risks. … This excess sharing will not aid cybersecurity, but would significantly harm privacy and could actually undermine our ability to effectively respond to threats.”

There’s nothing mysterious about a bill that’s both weak with regard to cybersecurity, and dangerous with regard to privacy, making congressional headway. To say it’s bad legislation misses that, for some parties, it’s very good indeed. CISA offers a great gift to corporations. Companies who agree to share user data with government agencies would be granted legal immunity from a whole range of laws, including antitrust and FOIA. So not only does the bill serve the data-devouring government surveillance beast, it offers a protective quid pro quo for corporations who cooperate. This limited liability with regard to user data could also dangerously de-incentivize companies to improve their own security systems.

It’s notable, then, that Silicon Valley leviathans like Apple and Twitter have lobbied against the bill. But this is explicable: Companies like this have more to lose if users stop using their services due to privacy concerns. Much Silicon Valley face-saving followed Snowden’s revelations, which implicated tech and telecom firms in mass surveillance. The Intercept’s Lee Fang has previously highlighted how “many of the most powerful corporate interests in America,” with companies including 3M and Lockheed Martin, signed on to support the bill. I’m reserving any abundant praise for Silicon Valley anti-CISA efforts — their corporate interests just currently tend toward privacy protections, which is not the case, say, for the energy sector.

CISA defenders insist that this data sharing is voluntary, but Amie Stepanovich at Wired rightly pointed out that, in practice, data sharing would become de facto compulsory for businesses. She noted that “the ‘cyber threat information’ that the government would be allowed to share with participating companies under the bill may, and foreseeably will, provide so much of a competitive advantage — the advantage of being ‘in the know’ — that companies will be forced to participate simply to keep up with their participating competitors.”

CISA works to prevent corporations from acting as protectors of their customer data. As such it highlights the limitations of privacy reform efforts that seek to shift bulk data collections into the hands of private firms and away from agencies like the NSA. Such reforms can serve as little more than lines in the sand around our personal data when unfettered corporate-government data sharing is the status quo. Opposition to these surveillance measures is not waning. Indeed, action taken against CISA was technically fiercer than against CISPA. As Jaycox told The Intercept, “CISA had Silicon Valley come out against it, particularly Apple, Twitter, Yelp, Salesforce. CISPA didn’t see many large Silicon Valley companies come out against it.” He added that “the public response in particular was as vigorous as CISPA, since you had over 1 million faxes and thousands of emails and phone calls sent by the public to Congress.”

Others, however, see a waning in opposition compared to previous privacy-threatening legislation. “With PIPA [the Protect IP Act] and SOPA [the Stop Online Piracy Act] you had literally tens of millions of people engaged, writing and calling Congress, posting blackouts on their sites,” Tim Karr, senior director of strategy at Free Press, told the Daily Beast. “I don’t think it’s quite the same scale.” We might point to the GOP Senate takeover or the shift in White House agenda to explain why CISA is succeeding where CISPA died; it was not for lack of opposition. But zombies are frightening precisely because they are both resilient and uncanny. They need not be cunning to gain ground.

There might be more to the CISPA/CISA resurrection than a cautionary tale about not celebrating victories too soon. Sticking to our horror tropes, we know that bashing each zombie as it approaches won’t suffice. The struggle is to kill the source. Government agencies, lobbyists, and major corporations are invested in upholding the myth that mass surveillance equates to good cybersecurity. This myth, and faith in it, will keep zombies like CISA alive. This is where we need to fight.

Top photo: “House on Stilts” by Scott Beale, used under CC BY-NC-ND 2.0/ Cropped from original, photo of street art by Phlegm.