Tech scrambles to oppose cyber bill

Privacy advocates are stepping up their efforts to beat back cybersecurity information-sharing legislation, threatening boycotts and forcing large tech companies to stake out opposition positions.

The backlash comes as rumors swirl that the Cybersecurity Information Sharing Act (CISA) could see floor time in the Senate as early as next week, or possibly the week after.

The bill is so controversial in some circles that a Sept. 14 letter from a software trade group seemingly backing the measure drew threats of a boycott of firms that signed on and, reportedly, some 15,000 angry emails. As a result, some firms have rushed to clarify their opposition.

“It’s a noncontroversial position to take to oppose the bill,” Ryan Kalember, senior vice president of cybersecurity at the security firm Proofpoint, told The Hill. “Companies that don’t really have a dog in this fight are just not saying anything. It is certainly the safe position in the broader technology world, as well as the cybersecurity world, to be against it.”

Senate Majority Leader Mitch McConnell (R-Ky.) vowed before Congress’s August recess that the upper chamber would take up the bill in September, but a crowded legislative schedule pushed it back down the calendar.

Observers say that leadership is working on a deal to cut down on a list of 21 amendments currently slated for debate. A few contentious additions are apparently slowing negotiations on CISA, which is intended to boost the flow of threat information between the federal government and private industry.

Privacy groups and the technology industry have mostly opposed the bill on the grounds that it will funnel personal data to government agencies that have shown they are incapable of protecting sensitive information.

Critics point to both the spectacular breach of the Office of Personnel Management (OPM) and the wide net of U.S. surveillance revealed by former National Security Agency contractor Edward Snowden as evidence that the federal government shouldn’t be trusted with citizens’ data.

Yet major tech players have expressed support for some form of information-sharing legislation.

In the Sept. 14 letter, the BSA Software Alliance urged lawmakers to move on legislation that would enable “private actors to voluntarily and more easily share cyber threat information with others, with an appropriate balance between privacy and security.”

Signatories included executives from IBM, Salesforce, Microsoft and others.

The reference to information-sharing legislation did not name CISA, but was widely considered to be code for the bill. BSA in July had urged the Senate to take action on the legislation.

A week later, after a social media backlash led by privacy group Fight for the Future, BSA walked back its language in the September letter.

“For clarity, BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act, the Protecting Cyber Networks Act, and the National Cybersecurity and Communications Integration Center Act,” the group said on its website.

Last week, Fight for the Future called for a boycott on letter signee Salesforce, as well as launching the pointedly named Youbetrayedus.org to allow users to send angry emails to companies that signed the BSA letter.

“Salesforce is actively supporting a bill that would undermine … trust,” Fight for the Future CTO Jeff Lyon wrote in a letter alerting Salesforce of the boycott. “If CISA passes, it will be impossible for us to guarantee our own privacy policy with our users, because [Salesforce product] Heroku may broadly violate their privacy agreement with us to share information about our users with the government.”

Salesforce CEO Marc Benioff quickly responded on Twitter, writing, “The letter clearly was a mistake and doesn’t imply CISA support. We need to clarify. I’m against it.”

Fight for the Future called off the boycott, but the incident cast light on the pressure tech companies are under to be seen as tough on privacy and, by extension, opposed to CISA.

Other major firms, including Apple, are also against the bill.

“The default position in light of Snowden is going to be an attempt to protect privacy and to hold that goal above almost everything else except maybe revenue generation,” Kalember said.

In other words, some tech leaders say that companies can’t afford to be seen as collaborating with the government from a public relations standpoint — it’s bad for the brand, especially with groups like Fight for the Future and lawmakers like Ron Wyden (D-Ore.) actively painting CISA as a “surveillance bill.”

Others say that part of the industry’s dispute with CISA is an amendment that broadens the scope of the legislation, taking the focus off threat sharing and putting it on enforcement.

The amendment from Sheldon Whitehouse (D-R.I.) would expand the penalties that prosecutors can seek for violations of the Computer Fraud and Abuse Act (CFAA), which prohibits accessing protected networks.

Critics say CFAA punishes low-level criminals and discourages legitimate security research from “white hat” hackers. Under Whitehouse’s amendment, violators could face up to 20 years in prison for harming critical infrastructure.

Even those amendments that directly address privacy concerns have not been enough to satisfy groups like Fight for the Future and the Electronic Frontier Foundation, a digital civil liberties nonprofit.

One amendment would require that companies share all data through the Department of Homeland Security, which is seen as having the government’s best data privacy procedures.

Others would require companies to inspect and strip personal details from cyber threat data, raise the standard for removing sensitive data and require a process to notify people whose personal information may have been inappropriately shared.

“While some advocates will paint these amendments as ‘steps forward,’ the amendments merely shuffle deck chairs on the Titanic — even with the better amendments, the bill is still a bad idea,” the Electronic Frontier Foundation said in September. “Democrats and libertarian Republicans should be opposing CISA outright.”

Older, narrower variations of information-sharing legislation did garner industry support in the past.

“The original bill was getting support of the industry,” Philippe Courtot, CEO of security company Qualys. “Yes, we need to share information. But that’s very different than the discussion about going after cyber criminals. We should not mix the two.”

But lawmakers are under increasing pressure to pass some kind of legislation to address the spate of intrusions on U.S. networks, including the high-profile OPM breach revealed this spring.

The Chamber of Commerce campaigned throughout the recess to counter the claim that the bill is tantamount to legislating government surveillance. And the Obama administration is pressing Congress to act.

“The greatest thing we need right now is help from the other branch of government to pass cyber legislation,” Homeland Security Secretary Jeh Johnson pressed in September. “The House has already passed comprehensive cybersecurity legislation that greatly enhances my authorities, that greatly enhances information with the private sector; in my view that is the key.”