Skip to main content

The potential impact of the 2015 Cybersecurity Information Sharing Act (CISA)

November 6, 2015


Jessica L. Beyer

Last week, I analyzed the Cybersecurity Information Sharing Act (CISA), which has just passed the Senate with a vote of 74-21. The CISA is an effort to promote information sharing across agencies of government and private actors in order to improve cybersecurity in the United States.

If the CISA passes, and it seems likely to, it will have a range of impacts internationally and on the Pacific Northwest (PNW). In the PNW, the CISA will heavily impact technology companies. Technology companies create, maintain, protect, and operate many of the tools that we use every day. Many of these companies either are located in the PNW, such as Microsoft, or have large offices here, such as Google.

The impact on tech companies is related to the physical structure of the Internet internationally. Much of the world’s data flows through the U.S., carried and stored by infrastructure owned by U.S. companies. This means that laws in the U.S. have implications for far more people than just those living inside the U.S. borders. The centrality of the U.S. to the flow of information and the implications of this centrality were brought home when Snowden revealed the extent to which the U.S. government was engaging in mass Internet surveillance. Upon learning of this surveillance, many countries were very upset, causing strained relations with the U.S.

The U.S. government’s practice of vacuuming of data from private companies for the purposes of surveillance has had negative implications for Internet governance internationally. For instance, Snowden’s revelations gave support to countries, such as China and Russia, calling for greater national controls over the Internet. It also caused tension between the U.S. and other democracies, such as Brazil. Advocacy for national-level control and multi-lateral agreements around that control, do not work with the multi-stakeholder approach to Internet governance that the U.S. government and U.S. corporate interests favor.

In addition, if states and populations around the world become overly concerned about what might happen to their information when it passes through the U.S., they may begin looking for alternative tools. The potential for this to happen is likely why, in a 2014 paper titled “International Cybersecurity Norms: Reducing Conflict in an Internet-dependent World” Microsoft’s Trustworthy Computing Group argued that the first of six proposed cybersecurity norms be that “states should not target ICT companies to insert vulnerabilities (backdoors) or take actions that would otherwise undermine public trust in products and services” (p.11).

Unlike other types of technology, the Internet is global. Laws created in the U.S. to protect U.S. citizens do not only touch U.S. citizens. Anything meant to protect people inside the U.S.’s borders will also touch people all over the world because of the design of the Internet. Even without taking into consideration the concerns about the wide permissions the CISA would give companies and the U.S. government over U.S. citizen and resident data, we ought to be concerned about permissions the CISA gives for access to information of those not protected by the U.S. Constitution and laws. While this may not matter to the U.S. government whose responsibility could be considered to end at the U.S. border, it certainly will matter to the companies who are equally accountable to all of their customers outside, as well as inside, the U.S. As so many of these companies have bases in the PNW, it is likely to impact our region as well.

By Jessica L. Beyer, Cybersecurity Postdoctoral Fellow, Jackson School of International Studies

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.