For those not watching, CISA is the bill that’s supposed to allow companies to voluntarily cooperate with the feds (and state, local & tribal governments) to share information about ‘cyber’ attacks. Notice I didn’t say ‘share with law enforcement agencies’. The list of authorized agencies is:
- The Department of Commerce.
- The Department of Defense.
- The Department of Energy.
- The Department of Homeland Security.
- The Department of Justice.
- The Department of the Treasury.
- The Office of the Director of National Intelligence.
‘Troubling,’ you might say.
Now, in theory — taking the bill literally as written and pretending this is a government not interested in abusing its power — this might not be so bad. Aside from a few little problems.
The bill requires any personally identifiable information be stripped out, for anyone caught in the bulk data collection who isn’t the suspected cyber-terrorist. Stripped out by the feds. After they get it. (The companies could do it first, but the bill directs the feds to set up their operation so why would the companies bother spending the money?)
And you’ll just have to trust that your data got stripped out before going to the NSA’s Utah warehouse, because…
SEC. 104. (d) (4) (B) EXEMPTION FROM DISCLOSURE.—A cyber threat indicator shared with a State, tribal, or local government under this section shall be—
(i) deemed voluntarily shared information; and
(ii) exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records.
SEC. 105. (d) (3) EXEMPTION FROM DISCLOSURE.—Cyber threat indicators and defensive measures provided to the Federal Government under this title shall be—
(A) deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local law requiring disclosure of information or records; and
(B) withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records.
So even if they outright deliberately violate this would-be law, that same law specifically denies you the opportunity to find out. FOIA exempt. No exceptions. ‘[W]ithheld, without discretion’.
So you can see why I’m not a fan of this crock of shit. But wait; there’s more!
Despite the title, this is not just an information sharing bill. It also provides for all these ‘entities’ — federal, state, local, tribal — to sign agreements to let outside parties access and hack their systems. All in the interest of ‘defending’ against an attack. Now, should the FBI be rummaging around your Gmail and phone accounts looking for the right terror-hacker, and finds evidence of bad-think constitutionalism (you think the 2nd Amendment actually means what it says? Bad, bad, bad!)…
Of course they won’t forget to strip out your identifying data, and add bad-boy notes to your dossier, hiding behind that handy FOIA exemption.
Don’t forget that your local .gov gets to do this, too. Privacy aside for a moment, consider your last visit to your town tax office and imagine those incompetents dicking around in phone company computers, or Target stores’. Someone hacked your credit cards? Bummer, dude; we don’t have to tell you jack. Yeah, they’re supposed to, but with that blanket FOIA exemption to hide their activities…
Besides, participating ‘entities’ get immunity for over-sharing, or over-hacking anyway (that’s the carrot to get companies to play: no liability).