Cybersecurity legislation is much needed, but previous versions of the Cybersecurity Information Sharing Act (CISA) all had one thing in common: harsh blows to government transparency. In July, OTG took issue with the Washington Post’s support of the legislation, noting that CISA fails to protect privacy, would block crucial information from the public, and threatens journalists and whistleblowers. The recently- released 114th Congress’ Intelligence Committee version of the bill contains the same worrisome provisions.
The newest iteration of CISA does include some protection for whistleblowers, but much whistleblower activity as commonly understood remains unprotected. Moreover, the bill still allows cybersecurity information to be used to investigate and prosecute whistleblowers or journalists under the Espionage Act. As the Sunshine in Government Initiative noted last summer, CISA’s broad definitions “would grant the federal government the authority to engage in the warrantless collection of journalists’ communications records…if the government deems the journalists, or the confidential sources they work with, ‘security vulnerabilities’ or ‘cybersecurity threats’ potentially ‘adversely impacting’ the confidentiality of information stored on government computers."
CISA would also create a broad new categorical exemption from disclosure under the Freedom of Information Act (an exemption 10), and would also restrict disclosure of information at the state and local level. As more than 30 groups said in a letter to the Senate Select Committee on Intelligence (SSCI) in June, CISA fails to incorporate any significant lessons learned regarding the critical role of transparency in oversight, and would keep the public in the dark about whether their privacy is being meaningfully protected. As we told the Post, “the Senate should pass cybersecurity legislation — but not this bill.”