A controversial cybersecurity bill passed the U.S. Senate yesterday by a 74-21 vote, despite opposition from organizations and businesses that claimed the measure does not support the idea of a free and open Internet.
The Cybersecurity Information Sharing Act (CISA), if signed into law by President Barack Obama, would allow businesses and government agencies to share information related to hackers and their methods. The goal of the bill is to use shared information related to cybersecurity attacks from business to business to assist organizations and agencies alike to defend themselves from hackers or cyber criminals.
Fight for the Future (FFTF), a digital rights group, is strongly against CISA and said the bill has been discredited by experts, tech companies, and advocacy groups across a wide spectrum of industries. Evan Greer, campaign director of FFTF, said if Obama does not veto the bill, he will be showing he “never cared about the open Internet.”
(Related: Twitter joins fight against CISA)
“This vote will go down in history as the moment that lawmakers decided not only what sort of Internet our children and our children’s children will have, but what sort of world they will live in,” said Greer in a statement. “Every Senator who voted for CISA has voted for a world without freedom of expression, a world without true democracy, a world without basic human rights.”
Critics of CISA are concerned about the liability and privacy issues that companies will be exposing themselves to when handling data such as customer records and personal information. But recent amendments to the bill require businesses and government agencies to scrub records of data that can be used to identify individuals, according to Jason Kratovil, vice president of government affairs for payments at the Financial Services Roundtable, an organization that represents financial services companies.
“[Companies think] CISA is a surveillance program, and that it’s turning over personal information to the government,” he said. “They made those arguments, but I think the votes made it pretty clear that they are not based in the realities of the legislation. The legislation is clear that personal information must not be part of the sharing equation.”
Kratovil also said that CISA is voluntary, and if a company does not want to participate, there is nothing to “compel a company” to do so; only if they are willing.
Those that would not be willing would be the Electronic Frontier Foundation (EFF), the Computer and Communications Industry Association—whose members include Facebook, Google and Yahoo—Salesforce, Twitter, and presidential candidates Rand Paul and Bernie Sanders, and more.
The EFF said that the bill failed to address the real reasons hackers are able to steal data. In a release, the EFF said that the real cybersecurity problems behind computer data breaches like Target’s are not addressed in CISA.
Carl Herberger, vice president of security solutions at Radware, said that the bill does not address cybersecurity problems like “the DDoS attacks, the problems of people or countries attacking from non-judicially friendly domiciles, and, lastly, the issues of macro-level IT trends, such as IoT, SDN and Cloud migrations.” He also said that it brings up another question of U.S. citizens having a right to privacy.
CISA could also have an impact globally, according to Mike Weston, CEO of Profusion, a data science consultancy group in London. He said that CISA passing could lead to some negative commercial consequences and challenges with a World Wide Web that is supposed to be free and open. It could also affect smaller U.S. companies that seek to establish businesses in other countries for that matter, when it involves personal data being shared.
The next step for both supporters and critics is to wait for CISA to move to a conference committee made up of the House of Representatives and the Senate, who will determine the bill’s final language.