We learned last week that the government is just as cyber-insecure as Sony. The White House finally disclosed that hackers, reportedly from China, had stolen more than four million personnel records, including security clearance information that could potentially be used for espionage. Senate Majority Leader Mitch McConnell’s answer? Let’s give the government even more sensitive information, this time about you and me, and let’s do so with the utmost secrecy.
For years now, the forces of industry and national security hawks in Congress have pushed to drive a tractor through existing privacy law in the name of cybersecurity “information sharing.” These measures, the most high-profile of which was the ill-fated Cybersecurity Information Sharing and Protection Act, or “CISPA,” in 2013, have so far faced righteous opposition by the privacy and civil liberties community (which, incidentally, is advocating for more effective security measures that wouldn’t imperil basic freedoms).
This year, Majority Leader McConnell and head of the Senate intelligence committee, Richard Burr (R-SC), are trying something different. Burr moved the bill to the full Senate in secret session of his committee, and McConnell is planning to attach the bill as a “second degree” amendment to a military spending bill. That means, assuming the bill passes, CISPA 2.0 will have breezed through with no debate on the floor of the Senate. This is the sacred crucible of democracy in action, folks.
So, what does the bill—dubbed the Cybersecurity Information Sharing Act, or “CISA”—do? It’s a surveillance bill, pure and simple. It says that any and all privacy laws, including laws requiring a warrant for electronic communications, and those that protect financial, health or even video rental records, do not apply when companies share “cybersecurity” information, broadly defined, with the government. For much more detail, please see this blog and coalition letter, this analysis from the Center for Democracy and Technology and a deep dive by the Open Technology Institute.
Once that information is shared, it will be automatically disseminated government-wide, including to outfits like the National Security Agency, CIA, and FBI, where it can be used for garden-variety law enforcement investigations and intelligence activities. It can also be used to investigate and prosecute whistleblowers under the Espionage Act, the World War I-era law that has been used by the Obama administration to go after more national security “leakers” than all other presidencies combined.
In short, it makes mincemeat of basic notions of due process. But that’s not all. This isn’t just a problem in the abstract for “privacy.” It would actually make things less secure.
The hack revealed last week targeted the Office of Personnel Management. OPM is what it sounds like: the federal agency responsible for maintaining detailed records on the millions of government workers in the United States. Those records include social security numbers, birth dates, and information on families, friends, co-workers—you name it. OPM runs security clearances, which can involve the collection of very sensitive information. In other words, OPM is the ultimate honeypot for hackers; a one-stop shop to create a database that can be used to guess passwords, compromise accounts or craft sophisticated phishing attacks like those that were probably used to get into Sony and Anthem.
Worse, this is only the latest, though possibly the largest, in a series of data breaches at the federal government, which, in just the past year, have included hacks at the IRS, State Department, and the White House.
If the federal government can’t secure the most sensitive intelligence and military data against spies and cyber-thieves, what does that mean for the vast amount of personal information that would flow to the government from the private sector under CISA? The answer is obvious. The honeypot would grow all that much sweeter. Not only would you have a one-stop shop for government worker information, you would have a new trove of personal information about all of us, held in what have proved to be tempting and vulnerable targets for the baddest of actors.
That all this is happening without any debate is just salt in the wound. Senator Ron Wyden (D-OR), the only member of the intelligence committee to vote against CISA, is waging a lonely fight against the bill, and has vowed to push for a full and open debate on the measure. He deserves our support. It would be truly tragic if legislation this dramatically terrible passed without anyone even talking about it.
