President Obama signs the CISA bill into law

Dec 19, 2015 22:47 GMT  ·  By

CISA, the Cybersecurity Information Sharing Act, has passed the US House of Representatives and the US Senate in one single day, packaged, or more accurately, sneakily hidden inside a generic, omnibus budget bill.

In one of the most outrageous and shameful acts of government, US leadership has completely ignored cries from both the US population, privacy watchdogs, and even Silicon Valley companies, which have been extremely critical, vocal, and aggressive against CISA.

Even worse, the CISA variant that passed with the omnibus budget bill, also removed any NSA-unfriendly clauses, and now gives even more power to government agencies, like the Department of Homeland Security, the FBI, and the NSA, to snoop through any online communications.

CISA comes to replace the Patriot Act just in due time

All of this is extremely ironic but makes sense in the big picture. After many years of criticism and attempts from user privacy advocates to get the Patriot Act shut down, they achieved this last summer. The last provisions that allowed the NSA to collect metadata about user phone calls ended on November 29. Less than three weeks later, the new CISA bill was passed.

Companies were not thrilled about CISA in its first variant, and they're not too excited about this version either.

"The new provisions of CISA appear to not offer any incentive to anonymize the data that will be shared between businesses and the government, which is a problem," says Joseph Pizzo, field engineer at Norse, a global leader in live attack cybersecurity intelligence, founded by former law enforcement and intel officials.

"The initial proposal of CISA had a bare minimum of provisions to offer some type of privacy protection, but not enough. What we’re seeing now is that these few provisions have been stripped away and there is no longer a requirement to proxy the data through the DHS," Mr. Pizzo told Softpedia.

"With the changes, organizations can now directly share raw data with several agencies with no protection or anonymity. There may have been a small cost associated with anonymizing the data, but now that this requirement has been removed and organizations may feel that they’re helping, I don’t foresee any work moving forward to protect consumer data."

Some companies might fight the law by using stronger encryption

"There are a few large key players that may enforce some type of anonymity and tokenization of data or continue with business as usual as it applies to their customer and partner data. Companies like Apple and Twitter, who have been very vocal with their opposition, may have a loud enough voice and large enough customer base to further protect the privacy of their customers," Mr. Pizzo explains.

"Those companies that have been silent or on the line between supporting and opposing CISA may have to pick a side. A large number of security practitioners will oppose CISA and do their best to push end users to be more thoughtful about privacy protection."

"Unfortunately, it will fall on the consumers to make use of the tools to protect their privacy and choose which organizations they feel most secure with."

President Obama, one of CISA's biggest supporters, signed the omnibus budget bill into law, giving US agencies official powers to eavesdrop on everyone's Internet communications. This time around, everything was done out in the open, so whistleblowers like Edward Snowden have lost their power.