By Kelli Sladick
Congressional efforts to fortify dragnet domestic surveillance and threatens privacy advanced last week when a Senate committee approved the Cyber Intelligence Sharing and Protection Act (CISA).
CISA is an addition to the current National Security Act of 1947 creating a subsection 1104 which incorporates private companies into the intelligence community under voluntary measures. It is intended to make it easier for corporations and government entities to stop hackers. But it features provisions opposed by privacy advocates.
Supporters say it will make it easier for corporations and government to share data, but that might not be such a good thing. Many privacy advocates and organizations have denounced this piece of federal legislation here, here, here.
So what will CISA do?
It will encourage state agencies and corporations to share resident and customer information to the NSA funneled by the Department of Homeland Security.
The President shall designate an entity within the Department of Homeland Security as the civilian Federal entity to receive cyber threat information that is shared by a cybersecurity provider or self-protected entity.
This information will then be shared with multiple departments and agencies in the federal government. Federal agencies and departments are required to “ensure that cyber threat information shared with departments or agencies of the Federal Government in accordance with such section 1104(b) is also shared with appropriate departments and agencies of the Federal Government with a national security mission in real time;”
Encourages companies and local law enforcement to aid in surveillance
CISA will “facilitate information sharing, interaction, and collaboration among and between the Federal Government; State, local, tribal, and territorial governments; and cybersecurity providers and self-protected entities.”
Domestic intelligence gathering is metasticizing into all aspects of our life. Data searched and seized by the federal government goes beyond what we have seen in the Edward Snowden leaks. We know from recent revelations that our phone calls, emails, texts, metadata are collected. But this is still not enough for the spy-state. The NSA wants information on your utilities. This data shared may include more than cyber threats to utilities due to vague language in the bill. Data may include: How much electricity are you using, how much gas or oil are you using and whether you expel a lot of waste.
“(C) require a new information sharing relationship between the Federal Government and a private-sector entity or utility;”
Collected data is intended to include people of no counter-terrorism intelligence or threat value. It is not an accidental or incidental collection like NSA claims. CISA will authorize intentional collection on innocent persons. In other words, even if you have nothing to hide, all your electronic data is to be collected, shared and seized by the federal government.
Pretends to safeguard privacy
“The Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General, shall establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government.”
The federal government has determined that the sole investigator into surveillance includes itself. No state, local agency, or corporation is included in this review process. These agencies and corporations are given no voice if they believe there is a privacy violation. Most importantly, you are not entitled to a voice about how your data will be searched or seized.
CISA attempts to minimize privacy concerns, however in its current form it can be broadly interpreted by the federal government. Terms are not defined and vague.
(i) minimize the impact on privacy and civil liberties;
(ii) reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner;
(iii) include requirements to safeguard non-publicly available cyber threat information that may be used to identify specific persons from unauthorized access or acquisition;
(iv) protect the confidentiality of cyber threat information associated with specific persons to the greatest extent practicable; and
(v) not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.
CISA requires that all entities that enter in this agreement must set up a data sharing liason between the federal government and the corporation or law enforcment agency. This person will then have to pass a background check for a security clearance. This person will then become apart of the intelligence community chain of command under the guidance of the Director of National Intelligence (DNI).
“grant a security clearance on a temporary or permanent basis to an employee, independent contractor, or officer of a certified entity;”
It then gives access to cleared non-military personnel to have access to appropriate facilities. These appropriate facilities are called “Sensitive Compartmented Information Facilities” (SCIF). Here, cleared personnel handle classified information. This data, however, includes information not just on terrorism targets, but also innocent people. and without a warrant.
“grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities;”
Close to 5 million people hold a security clearance. This act will expand that number. Even though top officials in the intelligence community are calling for more extensive background review, this act will do the exact opposite by fast-tracking state level agencies and certified members of corporations.
“expedite the security clearance process for a person or entity as the head of such element considers necessary, consistent with the need to protect the national security of the United States.”
Prohibits whistle blowing to the press
In common intelligence community fashion, it prohibits entities or companies from talking with the press to address fraud, waste, and abuse. Whistleblowers like Mark Klein and the AT&T scandal would be subject to criminal action under this law. The federal government would force whistleblowers through “proper” channels which proved ineffective for Chelsea Manning, Daniel Ellsberg, Bill Binney, Edward Snowden, Veterans Hospital whistleblowers, John Kiriakou and many more.
“Notwithstanding any other provision of law, a certified entity receiving cyber threat intelligence pursuant to this subsection shall not further disclose such cyber threat intelligence to another entity, other than to a certified entity or other appropriate agency or department of the Federal Government authorized to receive such cyber threat intelligence.”
This also has an impact on “0 day exploits.” Zero days are flaws in software code that has been made aware to company and sometimes the public, however do not have a fix. This legislation may ban companies from telling the public about flaws in the software. It may also prohibit companies from telling other competitors and clients that there are security flaws in its own software. This may make the very software products we use less safe.
Protects domestic spying
Corporations tend to go along with whatever the federal government wants. As revelations continue to be released, corporations now seek asylum because people are fighting back. This bill prohibits corporations from being sued in a court of law on a federal or state level.
“Federal Preemption- This section supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under subsection (b).
(g) Savings Clauses-
(1) Existing authorities- Nothing in this section shall be construed to limit any other authority to use a cybersecurity system or to identify, obtain, or share cyber threat intelligence or cyber threat information.
(2) Limitation on military and intelligence community involvement in private and public sector cybersecurity efforts- Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, the Department of Defense or the National Security Agency or any other element of the intelligence community to control, modify, require, or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government.”
In other words, they are afraid of a state refusing resources. Further down it provides a haven for these voluntary entities from criminal or civil prosecution:
“No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith—
for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section;”
The fact is, corporations and law enforcement entities at the state and local level either feel powerless against the federal government or would rather be on the side of the devil. Either way, the loser is the people. There is only one way to stop it, and it needs to be state level. CISA is a voluntary bill for state agencies and corporate entities to become apart of the intelligence community. Instead, we need to encourage these same agencies and entities to be on the side of the people.
End information sharing between local and state agencies and corporations. End corporations using their resources to aid in our surveillance. End the corporate protectionism where domestic spying is provided some legal framework.