One of the issues with various "cybersecurity information sharing" bills like CISPA
from last year and CISA
from this year, is that some tech companies have been (quietly) supportive of these bills. The whole focus of these bills is to encourage "cybersecurity information sharing" between private companies and the government. And, in theory, that may sound like a good thing. In reality, all the bills really do is focus on protecting companies from liability
should they share private information they shouldn't have shared. And, of course, there's the fact that people who understand these things recognize that there's a hidden meaning
behind CISA, in that it's really
designed to give the NSA more "signatures"
to use in its surveillance dragnet.
But, of course, for many companies, the bill just looks like a "get out of court free" bill -- because the entire focus is on protecting those companies from liability. Some companies take a more long-term, customer- or public-centric view of things and recognize all this, and have not supported CISA. Others, however, have been more supportive. A few weeks ago, the BSA -- which is really the Business Software Alliance, but refers to itself as The Software Alliance -- sent a letter to Congress
outlining some of the issues that its members were supporting. This included a bunch of reasonable and good things, like much needed ECPA reform
. However, it also included this:
Cyber Threat Information Sharing Legislation will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.
Now, it's notable that this line does not
directly endorse CISA. And it's pretty clear that's on purpose. Of the bullet points in the letter three of the other four all name specific bills that the letter is supporting. Leaving out specific support of CISA is an interesting choice and at least indicates some hesitancy among some of the companies signing onto the letter to actually support CISA in its current form.
Of course, the problem is that, right now, there are no real alternatives being offered, and politicians who support CISA can and will point to this letter to argue that "the tech industry supports CISA." And, with that in hand, the good folks at Fight for the Future kicked off a campaign called YouBetrayedUs.org
, calling on the companies who signed the letter -- including Apple, Microsoft, Adobe, Symantec, Salesforce.com, Oracle and more to renounce the letter itself.
It appears that they've claimed their first scalp, as Salesforce.com has issued a press release
saying they do not support CISA and have never supported CISA. The quote is from the company's chief legal officer, Burke Norton, who is the same representative who signed the letter:
“At Salesforce, trust is our number one value and nothing is more important to our company than the privacy of our customers' data,” said Burke Norton, chief legal officer, Salesforce. “Contrary to reports, Salesforce does not support CISA and has never supported CISA.”
And here he is on the letter:
Again, it's absolutely true that the letter did not directly support CISA. And it could have. As mentioned, most of the other bulletpoints list out bills by name and/or number. But the one on cybersecurity did not
. Of course, one might argue that the BSA did this on purpose, knowing that if it cited CISA by name, all hell would rain down on them from the public.
Either way, perhaps this should act as a clear warning to tech companies that do
want to support CISA. The public isn't going to like it very much. Similarly, this should provide further notice to companies in signing these kinds of letters that they should understand what it appears they're supporting as well.