CISA Resurrected: Bad Policy, Broken Process


News yesterday that a dormant and much maligned cybersecurity bill—the Cyber Information Sharing Act—had not only resurfaced but was on a fast track towards becoming law by virtue of being appended to a large spending bill came as an unfortunate surprise for the tech sector, privacy advocates, and anyone who cares in transparent policymaking. In the last few weeks of 2015, all of Congress’s remaining legislative capacity was directed towards passing the bloated mish-mash of policies known as the “omnibus.” In theory, the omnibus is a “must-pass” spending bill (“must-pass” in the sense that signing it into law is necessary in order to fund the government) that combines a number of different appropriations bills into one, streamlining what could otherwise be a tedious effort to pass spending bills piece-by-piece. But, in what has become a commonplace practice in DC, this year’s omnibus crams in piles of unrelated legislation (more than 2,000 pages in all), effectively ensuring the passage of controversial bills that would likely have faltered if exposed to the normal legislative process, public debate, or a straightforward Presidential veto.

Ultimately, this means that groups and individuals without significant influence or lobbying power often find themselves pushed out of closed-door conversations about what unrelated bills get appended to the omnibus. While this closed process doesn’t always result in terrible legislation (the removal of anti-net neutrality riders to this year’s omnibus being a prime example of good policy emerging from the omnibus mess), when bad legislation does find its way into the omnibus, it’s almost impossible to get it out. It is through just this backwards process that the ill-fated Cyber Information Sharing Act (CISA) found its way into the omnibus and on a seemingly unstoppable course towards a Presidential signature.

CISA essentially creates a framework for companies to collect and share user data with government in a way that may circumvent basic privacy protections. While the bill is supposed to help government and industry cooperate to prevent cyber attacks like the high-profile hacks that targeted Sony, Target, and the federal Office of Personnel Management, critics argue that the bill creates more problems than it solves by jeopardizing user privacy, incentivizing companies to secretly monitor user activity, and allowing the government to obtain consumer data without a warrant. By moving CISA through the omnibus, these critics have been shut out of the recent negotiations. It’s no surprise then that the language that ultimately made it into the omnibus is worse in terms of privacy protections than other iterations of the bill.

For startups, CISA’s inclusion in the omnibus is bad for a few reasons. First, enacting significant legislation via amendment to unrelated must-pass bills limits the voice of small business in government. As this becomes more commonplace, startups who do not have the resources or relationships to participate in closed-door discussions are boxed out. Second, any bill that weakens privacy protections for user data threatens to undermine consumer confidence in Internet services. This, in turn, decreases the market for startups that provide such services. Finally, considering the European Court of Justice recently invalidated a crucial safe harbor by which US companies—startups included—were permitted to import EU consumer data precisely because of US laws that gave government access to user data without any real privacy protections, pushing a bill like CISA only threatens to make things harder for US companies operating overseas.  

As policymakers consider a variety of cybersecurity and privacy issues, it’s crucial that the startups and technologists that understand how key technologies actually work are a part of these conversations. Congress’s decision to move CISA through the omnibus spending bill is a move in the wrong direction for the startup sector’s participation in DC.