Controversial Cybersecurity Law Passed as Appropriations Rider
Washington avoided a seasonal budget showdown on Friday, when Congress passed a $1.1 trillion spending bill to fund the government through next fall. Tucked within the 2200 pages of the omnibus spending bill was an unusual appropriations rider: the entire text of the Cybersecurity Information Sharing Act.
CISA is one of a handful of cybersecurity laws Congress has been considering for the past year. It seeks to bolster cybersecurity by increasing corporate information sharing with the government, but has been condemned as a cyber surveillance measure by privacy advocates. Here's what you need to know.
The Law
CISA attempts to improve awareness of and cooperation on cybersecurity issues through information sharing between the government and the private sector. Under CISA, companies can collect information, including personal consumer information, on cyber threat indicators and share it with the Department of Homeland Security, notwithstanding other laws.
It's a broad authorization, shielding companies from liability that could stem from their information sharing. The information is also not limited to cybersecurity risks per se. CISA, as passed through the appropriations rider, permits information sharing for other purposes, including espionage and trade secrets violations. To protect consumers, the law also requires the government to notify Americans, and only Americans, when their personal information is shared in contravention of the bill.
The Controversy
Supporters of the bill view it as a great step forward in public-private cybersecurity cooperation. Information sharing is key to identifying and responding to cyber threats early on. The legal industry, for example, just got its own cybersecurity information sharing forum, allowing firms to tip off others of potential threats.
CISA puts the federal government at the center of such efforts. Senator Diane Feinstein has said that the bill "takes an important first step to address a significant drain on our economy and threat to our national security."
Privacy advocates have condemned the bill, however. The Center for Democracy and Technology warns that the bill could be used to greatly increase government data collection for non-cybersecurity related purposes. Analysts Jadzia Butler and Greg Nojeim write:
While companies receive liability protection only for the information they share with DHS and with non-Federal entities, the bill allows the President to later designate other "appropriate" civilian Federal entities as information sharing portals, leaving room for scenarios in which companies would share - with full liability protection - information derived from Internet users' communications directly with Federal entities such as the FBI and other agencies primarily concerned with law enforcement surveillance, not cybersecurity.
Only time will tell just what effect CISA may have on cybersecurity and privacy.
Why the Rider?
It's not unusual for controversial, unpopular, or just obscure laws to be tacked on to "must pass" appropriations bills. Appropriations riders have been used to deny wolves endangered species protections, for instance, and to help out the local sunken treasure industry.
Using appropriations riders to pass substantive legislation is controversial, since it often denies the laws the scrutiny they would receive were they passed on their own. Representative Zoe Lofgren, of California, decried the inclusion of CISA in the budget bill, saying "this so-called 'cybersecurity legislation' was inserted into a must-pass Omnibus at the 11th hour, without debate."
But CISA did not exactly "sneak in" to law; it simply took a shortcut. The act, backed by both Republicans and Democrats, had already been passed in the House and Senate and was simply awaiting reconciliation.
Related Resources:
- A Cybersecurity Bill Loathed By Tech Companies Is Now Law (Gizmodo)
- Car Hacking Tops List of 2016 Cybersecurity Threats (FindLaw's Technologist)
- ACLU Sues Over Cybersecurity Information Sharing Act (FindLaw's Technologist)
- Holiday Present From Congress: No Internet Access Taxes (FindLaw's Technologist)