This Week the Cybersecurity Information Sharing Act is on the Senate Floor & Apple Vehemently Opposes it
One issue that is dominating this week's news cycle is cybersecurity. It began on Monday with the Wall Street Journal's Live-conference interview with Apple's CEO Tim Cook in a segment titled 'New Frontiers.' While Cook briefly touched on a number of Apple products, he also touched on Apple's view on Security and Encryption. Cook stated that "We think encryption is a must in today's world. No back door is a must. No one should have to decide privacy or security. We should be smart enough to do both." Later Cook noted, "Don't assume the only way to have security is to have a back door. I wouldn't be so quick to make that judgement." Then on Tuesday, Apple legal urged the court to not require it to comply with the DOJ's request to unlock an iPhone. While this was playing out, Apple, Google and Twitter and 19 other tech companies were opposing the Cybersecurity Information Sharing Act (Cisa) Bill.
The Cybersecurity Information Sharing Act is a proposed law to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes." The law would allow the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was first introduced in the U.S. Senate on July 10, 2014. The bill passed the Senate Intelligence Committee by a vote of 14-1 in March and is now before the Senate.
The main provisions of the bill make it easier for companies to share cyber threat information with the government. Without requiring such information sharing, the bill creates a system for federal agencies to receive threat information from private companies. The bill also provides legal immunity from privacy and antitrust laws to the companies which provide such information.
With respect to privacy, the bill includes provisions for preventing the act of sharing data known to be both personally identifiable and irrelevant to cyber security. Any personal information which does not get removed during the sharing procedure can be used in a variety of ways. These shared cyber threat indicators can be used to prosecute cybercrimes, but may also be used as evidence for crimes involving physical force.
Support and Opposition
The CISA has received some support from advocacy groups, including the United States Chamber of Commerce, the National Cable & Telecommunications Association, and the Financial Services Roundtable.
A number of business groups have also opposed the bill, including the Computer & Communications Industry Association, as well as individual companies like Twitter, Yelp, and Reddit.
BSA (The Software Alliance) appeared initially supportive of CISA, sending a letter on July 21, 2015 urging the senate to bring the bill up for debate. On September 14, 2015, the BSA published a letter of support for amongst other things cyber threat information sharing legislation addressed to Congress, signed by board members Adobe, Apple Inc., Altium, Autodesk, CA Technologies, DataStax, IBM, Microsoft, Minitab, Oracle, Salesforce.com, Siemens, and Symantec.
This prompted the digital rights advocacy group Fight for the Future to organize a protest against CISA. Following this opposition campaign, BSA stated that its letter expressed support for cyber threat sharing legislation in general, but did not endorse CISA, or any pending cyber threat sharing bill in particular.
According to a new poll by internet activists Fight for the Future, twenty-two of the world's top technology companies are firmly against the controversial Cybersecurity Information Sharing Act (Cisa) now on the floor of the Senate.
The poll lists Apple, Google, Twitter and Wikipedia as opposing the legislation while Comcast, HP, Cisco and Verizon are among the 12 companies who back or have remained silent on the bill. Cisa is aimed at tightening online security but has been criticised as infringing on civil liberties and privacy.
The bill could come up for a preliminary vote as early as today. Within the Senate itself, Cisa has both bipartisan support and bipartisan opposition.
US Democratic senator Ron Wyden of Oregon was succinct in his distaste for the legislation before the body on Tuesday afternoon by commenting that "There is a saying now in the cybersecurity field, Mr. President: if you can't protect it, don't collect it. If more personal consumer information flows to the government without strong protections, my view is that's going to be a prime target for hackers."
Even the Department of Homeland Security, designated the entry point for all the information from the bill, has come out strongly against it, saying that it "could sweep away important privacy protections."
Apple in particular came out swinging against the bill on Tuesday evening, issuing a statement to the Washington Post: "We don't support the current CISA proposal. The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy." Exactly what Apple Legal stated yesterday in a case noted earlier.
With respect to the apparent policy reversals of companies that have supported the bill in the past, Fight for the Future campaign director Evan Greer said she thought private industry had simply read the writing on the wall.
Evans added that "I think these companies recognize that this is a supremely unpopular piece of legislation among their users. Internet users have been opposing this kind of legislation for years; I think the Senate should consider that the same users that led revolts against these companies are also voters."
The bill would allow private industry to share user information with the Department of Homeland Security, which would be compelled to share it across "relevant government agencies", presumably including the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
The bill has been touted by its supporters, notably the US Chamber of Commerce, as entirely voluntary, but in fact, as Wired pointed out in their August article report titled "Busting the Biggest Myth of Cisa – That the Program is Voluntary," that "It allows companies to choose to send certain swaths of information, which may include very personal information about users, to the government. Companies may choose to share information with any number of government agencies, including military agencies, but will receive a bonus reward in the form of protection against any legal liability if that information is shared directly to the Department of Homeland Security (which is then required to transmit the information in real time to agencies like the NSA anyway)."
Fight for the Future's list doesn't just cover Cisa; the group also breaks down industry support for the NSA-backed plan to insert "back doors" into cryptography and whether respondents support reform of the Electronic Communications Privacy Act, or ECPA (Reagan-era legislation which allows law enforcement to request all electronic messages older than six months by serving the provider with a subpoena, rather than a search warrant).
Lastly, Fight for the Future campaign director Evan Greer stated that "The concerns around this bill go so far past privacy. People don't trust the government or large corporations with their data anymore. We need mechanisms to hold them accountable and this bill goes in the exact opposite direction."
For more information from the group Fight for the Future and how to get involved, click here.