The Computer and Communications Industry Association — a trade organization that represents Internet, social media, and even some telecom companies — came out yesterday against the Cyber Intelligence Sharing Act, an information sharing bill that not only wouldn’t be very useful in protecting against hacking, but might have really dangerous unintended consequences, such as gutting regulatory authority over network security negligence (though the Chamber of Commerce, this bill’s biggest backer, may not consider it an unintended consequence).
Most coverage of this decision emphasizes CCIA’s concern about the bill’s danger to privacy.
CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.
But I’m far more interested in CCIA’s stated concern that the bill, in authorizing defensive measures, would permit actions that would damage the Internet’s infrastructure (to which a number of these companies contribute).
In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.
[snip]
But such a system … must not enable activities that might actively destabilize the infrastructure the bill aims to protect.
At least some of these companies that make up our Internet ecosystem think that some other companies, in aggressively pursuing perceived intruders to their systems, will do real damage to Internet as a whole.
It seems like a worthy concern. And yet the Senate runs headlong towards passing this bill anyway.