There is a battle brewing on Capitol Hill over the future of data security and surveillance. The proposed law is called Cisa (Cybersecurity Information Sharing Act). A summary of the bill is here.
A lot of the large tech companies like Apple, Amazon, Google, Microsoft, Dell, Netflix, Oracle, Twitter, Yahoo, and Wikipedia have come out against the proposed law. But on the other side, in favor of the legislation, are a few tech companies and the large carriers such as AT&T, Verizon, Comcast, Cisco, HP, and Intel.
In a nutshell, the legislation replaces the former NSA surveillance program with a program under the Department of Homeland Security. While a significant portion of the bill is aimed at creating a national cybersecurity policy, the legislation also allows for government surveillance of phone and data records very similar to what has been collected by the NSA. Interestingly, the Department of Homeland Security is not in favor of the bill and says that it sweeps away privacy protections.
One thing is clear through many polls: American citizens don’t like the idea of being spied on by the government. It’s an issue that polls consistently across political, religious, and age differences. And so, to a large degree, the tech companies against this surveillance are voicing what they hear from their customers. And not unexpectedly, many of the companies in favor of the legislation are those that profit significantly by handling the government surveillance work.
The biggest issue the opponents see in the bill that is that it requires that data gathered anywhere in the government then be shared with multiple federal agencies. I suppose this is a way to not let only one agency like the NSA gather and hold all of the data on citizens. But nobody believes that the government is capable of protecting all of the gathered data. In a recent discussion on the floor of the Senate, Senator Ron Wyden (D-Ore.) summarized this well, “There is a saying now in the cybersecurity field, Mr. President: if you can’t protect it, don’t collect it.” If the NSA couldn’t keep things secret, then how can multiple federal agencies protect against hacking and leaks?
Certainly the recent attacks on government personnel records are a good indicator of this. I have many friends who work in the government and they tell me that government computer and software systems are typically a few generations behind the commercial world, and due to the antiquated government purchasing process their systems are likely to always be behind.
I am certainly no security expert, but I do know that I don’t like the idea of the government gathering data about everyone. And I certainly don’t trust them to keep that data safe from hacking from the outside or abuse from the inside.
The other feature of the bill that is not very attractive is that it seems to put a lot of emphasis on creating a new government bureaucracy, which is likely to be nearly worthless in actually stopping cyberterrorism. The security fight on the web is already being fought by a number of web security companies and it’s a battle that changes daily. It just seems unlikely that government bureaucrats and policies can keep up with the real world security issues that require a daily fight against new viruses and new threats.
I’ve written a few times about how one of the biggest threats to the health of the web is government surveillance. It has already driven a lot of countries to erect firewalls around their country’s data. And it is driving people, and companies like Apple, to encrypt everything. It’s extremely naïve to think that the real terrorists in the world aren’t already fully encrypted and part of the dark web. I can understand the feeling that we have to do something about security, but gathering data about every citizen in the country and then sharing that across multiple government agencies doesn’t feel like the way to do anything but make us even more vulnerable.