I'm a CEO, and This Is What CISA Will Do to My Business

Impact
By Elissa Shevinsky

The "Pass the Mic" series showcases voices, perspectives and ideas that spark interesting conversations.

I am the CEO of a cybersecurity startup. I spend most of my time talking to security experts about breaches ("cyberhacks" as the FBI calls it) and building tools designed to protect against such threats. I've interviewed dozens of executives about security in their organizations and have spoken with members of the CIA, National Security Agency, FBI and Department of Justice about national security. I am currently working on software designed to help companies better protect their internal communications. 

I pay close attention to cybersecurity legislation, because it directly impacts my business. My key differentiator (what makes my company special) is our attention to privacy and security. My ability to promise — and deliver — on privacy for my users is at risk with the latest cybersecurity bill to pass the United States Senate. CISA, which stands for Cybersecurity Information Sharing Act of 2015, has me concerned. 

That's what CEOs say when they are scared: I'm "concerned."

Getty Images

My customers trust my company because we maintain a certain transparency, and the law supports that. If we publish a privacy policy, then we need to uphold that policy. We can't say that we protect user data and then secretly share it (for example, with the government.) Those kind of shenanigans could lead to an investigation and fines by the Federal Trade Commission.

If CISA passes, as it is currently written, it will mean that companies could violate their privacy policies without liability. That's bad for any company committed to user privacy, because it means that our customers will not be able to rely on our privacy policy. Proponents of CISA say the data sharing encouraged by this bill is voluntary. However, whether you are a large enterprise, like Apple, or a small startup, standing up to the government is non-trivial. 

If CISA passes, as it is currently written, it will mean that companies could violate their privacy policies without liability.

And, of course, I'm troubled as a consumer. I want to know what companies do with my data! CISA is designed to shield companies from both transparency and liability around data-sharing with intelligence agencies.

This brings me to my deeper worry about the CISA legislation — I'm also concerned for this country. I wish the government were sincere in its legislative efforts to protect the citizens of this nation from attacks by nation-states and from other bad actors. Unfortunately, the "cyber" initiatives being proposed by our government leaders are not about security at all.  

There are so many issues with CISA, but this rises to the top: CISA is not helpful for solving national security. This is problematic because that is the sole (stated) purpose of this bill.

Did you know that CISA was put forward by the Senate Intelligence Committee? The role of intelligence agencies includes gathering as much data ("intelligence") as possible. This bill is designed to help them do the best job possible. Unfortunately, intelligence gathering is more helpful for prosecuting crimes than it is for securing our technical infrastructures (our servers, our networks, our computers, our communication systems, etc.).

Instead, we have a surveillance bill masquerading as cybersecurity. It is shameful that the Senate is indulging in this kind of double-speak and putting forth the incorrect notion that we must give up our privacies in the name of national security. America needs legislation that will address our security weaknesses. Instead we get this kind of confusing and disingenuous security theater. 

We have a surveillance bill masquerading as cybersecurity.

And with it, an increasingly hostile environment for privacy-conscious businesses and outspoken citizens. Several of my friends have already left the country. They've gone to places like Berlin, which have stronger privacy laws. My mentors at security companies like Silent Circle, as well as my legal team, are advising me to locate my company offshore. Silent Circle is based in Switzerland. Another friend in the security space favors Panama. 

But it's my hope to continue running a privacy-focused business here in the United States. I'll continue to watch the CISA legislation closely, but I'm not optimistic. The conference committee between the House of Representatives and the Senate will determine the bill's final language. What will it take to preserve our American freedoms?