Two Intended Consequences CISA Supporters Will Be Responsible For

Tomorrow, the Senate will vote on CISA. It is expected to pass by large margins.

Given that a majority in the Senate is preparing to vote for CISA, I wanted to lay out two intended consequences of CISA, so supporters will know what we will hold them responsible for when these intended consequences prove out:

The government will lose power to crack down on providers who don’t take care of customers’ data. 

As I have laid out, if a company voluntarily shares a cyber indicator with the government, the government cannot use that data to initiate any regulatory action against the company. In the future, then, any Wyndham Hotels or Chrysler that have long ignored known vulnerabilities will be able to avoid FTC lawsuits or NHTSA recalls simply by telling the government about the vulnerability — and continuing to do nothing to protect customers. The bill will even make it less likely customers will otherwise learn about such things (partly through FOIA exemptions, partly by increasing the difficulties of doing security research independent of a company), which would provide them another route — a lawsuit — for holding a company accountable for leaving their data exposed.

So the Senators who vote for CISA tomorrow will be responsible for giving you fewer protections against negligent companies, making it more likely your data will be exposed.

CISA will provide a way around the warrant requirement for domestic collection of content

In 1972, the Supreme Court unanimously held that the government needed a warrant before conducting electronic surveillance for “domestic security” purposes. After some years, Congress set up the FISA court and process, through which the government can obtain warrants — and under FISA Amendments Act, mere certificates — permitting them to spy on US persons, while maintaining some modicum of review both at the warrant stage and (though it never worked in practice) the prosecution stage.

CISA will set up an alternative system for a very broadly defined cyber use, whereby Congress permits corporations to share the fruits of spying on their own customers with the government. Virtually all the protections built into the FISA system — a review by a judge, judicially approved minimization procedures, the requirement to protect US person identities as much as possible, and notice provisions if used for prosecution — will be eliminated here. Corporations will be able to spy on customers and hand over that data under permissive guidelines, giving the government all the benefits of domestic surveillance (again, just for a broadly defined cyber purpose). [See this post for more details on this.]

And make no mistake: the government will be obtaining content, not just metadata. If they didn’t plan on obtaining content, they would not include permission to use CISA-acquired data to prosecute kiddie porn, which after all is always about content (the same is true of IP theft).

Worse, it’s not clear how this abuse of constitutional precedent will be overturned. Without notice to criminal defendants, no one will ever be able to get standing. So SCOTUS will never review the constitutionality of this. By deputizing corporations to spy, the government will have found a way around the Fourth Amendment.

So Senators who vote for CISA tomorrow will be voting to begin to dismantle an imperfect, but nevertheless vastly superior, system designed to uphold the Fourth Amendment.

And note: what Senators will be voting for in exchange for these two intended consequences will be meager. Bill sponsor Richard Burr admitted last week that his earlier claims, that this bill would prevent hacks, was overstated. Now, he only promises this will limit the damage of hacks — though there’s little evidence that’s true either.  So if Senators vote for this bill, they’ll be trading away a lot for very little in terms of security in exchange.

Again, this blog post won’t change the outcome tomorrow. But it should put every Senator preparing to vote for this bad bill on notice that we will hold you responsible for these things.

Post updated with paragraph about how little this bill does to improve cybersecurity.

7 replies
  1. orionATL says:

    what a monster this bill is. astounding it will even be condidered fot a vote.

    really, it is time, and past time, to rescind the legislative authorization that established the senate select committee on intelligence and disband the ssci.

    the ssci no longer functions as a legislative-branch entity of the american congress performing rigorous oversight of the most dangerous-to-democracy organizations in the executive branch. it functions instead as legislative handmaiden doing the bidding of the fbi/doj, the nsa, the cia, the dhs.

    both cisa and ssci can only be supported by fools **.

    Full Definition
    1 :a person lacking in judgment or prudence
    2 a :a retainer formerly kept in great households to provide casual entertainment and commonly dressed in motley with cap, bells, and bauble
    b :one who is victimized or made to appear foolish :dupe

    that dictionary don’t lie.

  2. joanneleon says:

    Fourth amendment gone with a whimper. It’s unf’ing believable.

    And it’s such a tangled legal mess, hardly anyone will understand much of it at all.

  3. Denis says:

    With respect, I’m not convinced you are reading this legislation correctly. You’re not citing sections/paragraphs so there’s no way to connect your two concerns to the actual bill. With out reference to the bill I can’t tell if maybe you’re seeing something that I’m not seeing or I’m misconstruing the basis of your concerns.
    Let me address just the first of your two “intended consequences”. It has two sub-parts: 1) “if a company voluntarily shares a cyber indicator with the government, the government cannot use that data to initiate any regulatory action against the company” and 2) “[t]he bill will even make it less likely customers will otherwise learn about such things (partly through FOIA exemptions, partly by increasing the difficulties of doing security research independent of a company), which would provide them another route — a lawsuit — for holding a company accountable for leaving their data exposed.”
    First, a matter of tidying up the terminology. The Act talks about “cyber threat indicators” (how about: “CTIs”) [not cyber indicators] and “defense measures” (DMs). Section 2 defines these two terms explicitly and the Act uses them in tandem almost completely. In fact, the bill is about the ground rules for private and governmental entities sharing CTIs and DMs with each other and with the USG.
    The bill is found at — – your link from the Salon article, thanks.
    Essentially, CTI means information regarding hacks, attempted hacks, cyber snooping, vulnerabilities, &etc. (The “&etc.” is not in the bill, the bill is quite explicit in these definitions.) Essentially “DMs” means methods used to query an information system and to squeeze the data to ferret out cyber threats and vulnerabilities.
    In asserting that the USG cannot use the disclosed data/methods to initiate regulatory action against a company that discloses same, it looks like you must be referring to Sec. 5(d)(5)(D) – copied here:
    (i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.
    (ii) EXCEPTIONS.—
    (I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.
    (II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.
    First, there are two important limiting words here: “directly” and “lawful.” The limitation on implementing new regulations and enforcement actions only applies to “lawful activities” of the reporting entity, and only to direct use of the disclosed information by the government.
    Second, the restriction on enforcement/regulation is limited to the CTIs and DMs the entity reports. The intention is that information about hacks and information about defense measures – code, monitoring, &etc. – cannot be turned against the company in the form of regulations, so long as what the company is doing is legal.
    I’m not seeing your problem here. Seems obvious that 1) it is to everyone’s benefit for entities who are aware of hacks and whose defense measures are effective to provide that information to other entities and to the USG, and 2) companies are not going to warn the USG and other private entities of what they’ve found if it will mean their techniques are going to be regulated out the whazoo [sp?] or will precipitate enforcement activity against them.
    Third, pursuant to exception (I), CTIs/DMs provided to the USG under the Act may (as in “CAN”) be used to inform the development/implementation of regulations related to the hacked information systems – but new procedures developed under the Act cannot be so used, as per exception (II) to exception (I).
    Fourth, you keep referring to “sausage” with respect to this bill, and, man, do I agree. In subpara (i) above the phrase “including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators” could refer to the “defensive measures provided to the Federal Government” or it could refer to “the lawful activity of any entity.” In the first case, the phrase is about what does/doesn’t trigger regulation/enforcement, and in the second case the phrase says what can/can’t be regulated. Ambiguous sausage.
    So in the Jeep case, if this Act had been law, I don’t see how Jeep sharing the vulnerability would give them any meaningful immunity at all, even if, arguendo, what they did was not illegal. It looks to me like what is at issue is not Jeep’s defense measures but rather Jeep’s lack of defense measures, and reporting the lack of defense measures is not mentioned in or covered by the Act. Furthermore, any immunity would only be with respect to procedures developed under the Act.
    I have not gotten to your second sub-part of concern #1, but this comment is too long already. My apologies. I’ll try an complete my analysis of sub-part #2 of concern #1 and, perhaps, concern #2 in a post to my own blog where I can ramble and be a boor on my own dime. If I do, I’ll come by and drop a link, sort of like a pigeon flying overhead on a sunny day. But I hope you see my confusion re: your conclusion that the Act prohibits any regulatory activity w/ respect to reported CTIs and DMs. BTW, I wouldn’t buy a Jeep anyway – gas tank leaked in the last one I had.
    The state bar requires the following caveat: Nothing herein constitutes legal advice b/c, basically, I don’t know WTF I’m talking about. And I don’t know WTF you’re talking about either. And I’m not sure you know WTF you’re talking about, and I’m damn well sure you don’t know WTF I’m talking about. In fact, I don’t even know WTF the state bar is talking about.

    • orionATL says:

      i’m confident you are a troll writing contracted, paid for, subtrafuge.

      nothing demonstrates that better than your use of the tactic of copious citation – citations which, though devoid of coherent argument, arecintended by their volume alone to impress and deceive the gullible

      given your previous clumsy and ignorant commentary here on other matters, i think it is safe to say you do not have a clue what you are talking about when it comes to the cisa.

      what this spoofing commentary of yours will do though, is to cause any who doubted you were a troll and a heirling to dismiss their doubts – and your hired claptrap as well.

    • orionATL says:

      on the matter of the jeep software deficiencies:

      as i understand this computer code vulnerability problem that jeep has (or now, maybe, had),

      it was discovered by computer specialists not at all connected with chrysler corporation.

      similarly, the vw cheating on diesel emissions during mandatory emissions testing was discovered by a small private resesrch firm.

      one interpretation of the cisa is that it would forbid such private individuals and organizations from testing for flaws in computer systems.

      nice touch, eh, denis?

      your comment does raise the question, coming so soon on the heels of the vw (and now other car companies) emissions cheating disvoveries, as to what degree the automotive indudtry, international as well as american, will have been behind the acceptance of the cisa by the senate.

      the chamber of commerce and the automotive industry – partners in legislative crime.

    • orionATL says:

      see emptywheel oct 20, “fred upton’s bid, ff…”

      [… Which is why I believe this section does what I’m afraid it does: make it harder for independent researchers to review carmakers code.

      This section establishes that it is unlawful for any person to access, without authorization, electronic control units or critical safety systems in a vehicle, or other systems containing driving data either wirelessly or through a wired connection. It establishes a civil penalty of $100,000 for a person who violates this section.
      The actual language of the bill does not include a researcher’s exception.

      (1) PROHIBITION.—It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.
      It also imposes a penalty for each thing hacked (so doing research would get really expensive quickly).

      Update: NHTSA is no more impressed than I am.

      The Committee’s discussion draft includes an important focus on cybersecurity, privacy and technology innovations, but the current proposals may have the opposite of their intended effect. By providing regulated entities majority representation on committees to establish appropriate practices and standards, then enshrining those practices as de facto regulations, the proposals could seriously undermine NHTSA’s efforts to ensure safety. Ultimately, the public expects NHTSA, not industry, to set safety standards. …]

Comments are closed.