They didn't get CISPA to pass. Now they're trying again with CISA (Cybersecurity Information Sharing Act).
Cybersecurity bills aim to facilitate information sharing between companies and the government, but their broad immunity clauses for companies, vague definitions, and aggressive spying powers make them secret surveillance bills. CISA marks the fifth time in as many years that Congress has tried to pass "cybersecurity" legislation.
Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system.
Even with the changed language, it's still unclear what restrictions exist on "defensive measures." Since the definition of "information system" is inclusive of files and software, can a company that has a file stolen from them launch "defensive measures" against the thief's computer? What's worse, the bill may allow such actions as long as they don't cause "substantial" harm. The bill leaves the term "substantial" undefined. If true, the countermeasures "defensive measures" clause could increasingly encourage computer exfiltration attacks on the Internet--a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user.
Second, the bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called "cyber threat indicators," freely with government agencies like the NSA.
When i read "defensive measures", i picture the goon squad in Brazil that breaks into your house to arrest you for not filling out the proper forms.
Liberty for safety - always a sucker bet.