The Senate voted on Tuesday night to approve the Cybersecurity Information Sharing Act, a piece of legislation dreaded equally by Internet corporations, activists and privacy hawks. The 74-to-21 vote was a landslide defeat for anti-surveillance advocates.
The bill establishes a process for corporations to share details of security breaches with the Department of Homeland Security following a hack, all in the name of security.
Over the past few weeks, activists have forced the private sector to take sides, with Internet companies like Twitter and Google standing against the bill, and telecoms businesses like Verizon and AT&T in support of CISA. Facebook wouldn't take a side.
"CISA isn't a cybersecurity bill," Edward Snowden wrote in a Reddit "Ask Me Anything" session in early October. "It's not going to stop any attacks. It's not going to make us any safer. It's a surveillance bill. What it allows is for the companies you interact with everyday — visibly, like Facebook, or invisibly, like AT&T — to indiscriminately share private records about your interactions and activities with the government."
The motivation: The bill is attempting to address a real problem: responding quickly to cyberattacks. CISA mandates that the DHS set up a portal to receive data about breaches. If a private company is hit with an attack, CISA shields them from civil liability for sharing personal data as long as they hand it over to the DHS.
"There's a lot in there about sharing between government and non-government group," Jasper Graham, a former technical director with the National Security Agency, told Mic. "But there has to be, and in order to act on information, you have to act quickly."
Graham said that corporations still have the option not the share information, and grey areas in the bill will allow for the law to adapt to the changing face of cybersecurity over time. The alternative, he said, is that corporations attempt to do damage control on their own, terrified of sharing what they know about the attack against them while the threat multiplies.
"It's not going to stop any attacks. It's not going to make us any safer. It's a surveillance bill."
But privacy advocates are worried that corporations will too easily use this as an opportunity to grant themselves immunity while handing over users' data.
The results: CISA was sold as a cybersecurity bill, and on that front, it's terrible.
Even Graham, who thinks CISA is a step in the right direction, agrees with privacy advocates' assertion that the bill won't do anything to prevent attacks, which would require clear standards for baseline security that involve often-expensive solutions. That kind of protection is coming only at a snail's pace.
The bill now goes to the House of Representatives, where it is expected to pass. Should the measure be approved by both houses, it will go to President Barack Obama, who the White House has signaled would sign it.