Congress easily passed a thinly disguised surveillance provision — the final version of the Cybersecurity Information Sharing Act, or CISA — on Friday; it was shoehorned into a must-pass budget bill to prevent a government shutdown before the holidays.
Born of a climate of fear combined with a sense of urgency, the bill claims to do one thing — help companies share information with the government to heed off cyber attacks — and does entirely another, increasing the U.S. government’s spying powers while letting companies with poor cyber hygiene off the hook. It’s likely to spawn unintended consequences.
Some critics felt its passage was in some ways eerily similar to when the USA Patriot Act, one of the most expansive surveillance bills in recent U.S. history, was made into law shortly after September 11, 2001.
In both cases, Congress had little time to even read the bills, making it inevitable that many would vote without being fully informed. And the result is the same — increased power and less accountability for the intelligence community.
“CISA is the new Patriot Act. It’s a bill that was born out of a climate of fear and passed quickly and quietly using a broken and nontransparent process,” wrote Evan Greer, campaign director for Fight For the Future, a digital rights group, in an email to The Intercept.
“Most members of Congress still don’t understand what it will actually do, which is to dramatically expand the U.S. government’s unpopular and ineffective surveillance programs and make all of us more vulnerable to cyber attacks by letting corporations off the hook instead of holding them accountable when they fail to protect their customer’s sensitive information,” she continued.
“We’re all feeling a collective sense of déjà vu because we’ve seen this before,” wrote Nathan White, senior legislative manager at digital rights group Access Now, in an email to The Intercept. “This is like a bad sequel where we all know the ending, but shouting at the characters doesn’t change anything.”
“Just like the USA Patriot Act, CISA was a collection of old ideas that Congress had repeatedly rejected. And just like the Patriot Act, they rewrote the final bill in secret and snuck it through Congress before most people could even read it,” he continued. “And just like the Patriot Act, the bill will be used for far more than what members of Congress think that they are authorizing.”
When the Patriot Act was on the table in 2001, just weeks after the September 11 terror attacks, it flew through Congress late at night, with almost no debate or review. Legislators couldn’t even get into their offices at the time because they were quarantined, as letters laced with anthrax had been mailed to congressional offices and citizens’ mailboxes — ultimately killing five.
“A massive security bill (like the Patriot Act) was dropped on the floor in the dead of night before members were to vote on it,” wrote Richard Forno, the director of the Graduate Cybersecurity Program at UMBC in Maryland, in an email to The Intercept raising the similarities with this week’s bill.
But as national security writer Marcy Wheeler points out, this time around the intense urgency may have come less from the intelligence community and more from the Chamber of Commerce and some corporations, which will benefit from the way CISA lets corporations “that don’t fix their security issues” off the hook. Wheeler wrote that a provision in CISA may essentially prevent the government from suing companies for not living up to their privacy policies, as the FTC has in the past, as long as they share information about cyber threats — and even if their cybersecurity negligence led to the breach.
Other privacy advocates noted that the cybersecurity bill took a stealthier path to passage than the Patriot Act. “The Patriot Act was billed as something exceptional and game-changing. CISA disguised itself,” wrote Jeff Landale, executive assistant for X-Lab, in a tweet to The Intercept. CISA is “more technically complicated in how it expands the surveillance state,” he wrote. “The main difference politically is that too many in Congress just didn’t see CISA as a big deal.”
Greer, of Fight For the Future, speculated that CISA was “disguised” partly because the climate for spying legislation has changed since NSA whistleblower Edward Snowden’s revelations. “The pendulum swung our way a lot after Snowden, they couldn’t just come out and say it was a spying bill,” she wrote in a tweet.
Versions of CISA have been around for years, so Congress and the White House could have rallied objection to it. Indeed, in 2013, the White House threatened a veto over a very similar bill. However, the White House actually endorsed the bill this time around.
“In one significant way Patriot Act & CISA are the same,” tweeted Jonathan Langdale, a software developer, to The Intercept. “They’re a step backwards because we don’t know what else to do.”