Burr, on the other hand, likens his bill to a neighborhood watch program, where "citizens and private entities" share information voluntarily so that they're all more prepared to respond to threats.
But Burr's analogy only works if he's imagining something like the Homeowners Association From Hell, one empowered to enter the houses of residents in the neighborhood in the guise of looking for burglars, which can also then snoop around and report on whether you're doinking the baby sitter or watching pirated videos.
That's because the bill envisions companies monitoring not just their own networks -- but also the private accounts of their customers -- for threats. While the bill requires written consent before a service provider can monitor customers' accounts, that will be -- and probably already is -- written into those Terms of Service Agreements you never read before you click to agree to them. And the bill permits data collected in the guise of keeping out cyberintruders -- the equivalent of burglars, in Burr's analogy -- to be used to prosecute other crimes, including child exploitation or Intellectual property theft.
Don't get me wrong. Adults shouldn't doink their baby sitter, whether online or in their homes. But the solution to child exploitation is not to have private companies randomly troll the private space of everyone -- all while protected by expansive immunity -- regardless of their own indiscretions.
Moreover, a key to the functionality of neighborhood watches is to have neighbors themselves involved, not just the private corporation running the neighborhood. Yet CISA, because it deputizes service providers into the vast system of secrecy that characterizes our national security system, might prevent the kind of information sharing that could really improve cybersecurity.
Consider: a number of recent cyberattacks -- including the attack on Sony Pictures and a recent attack on the White House -- appear to have been launched through phishing attacks, where an attacker sends a disguised email to get an average user -- a member of the neighborhood -- to let the attacker into the entity's system as a whole. One of the most important things that experts recommend to fight cyberattacks is basic hygiene, raising the awareness of users not just to the commonality of phishing attacks, for example, but the latest versions of them, to make sure every user is vigilant. But if average users don't practice that hygiene, everyone can be exposed.
For a neighborhood watch to work, all the neighbors -- not just the HOA officers -- should know that a dodgy guy going door to door claiming he is selling pool service is actually casing out their home in preparation to burgle it. All the neighbors should know what ruse an intruder is using so they'll be able to recognize the intruder when they see it -- and that information sharing may not happen as a result of this bill because of classification.
Three other aspects of Burr's analogy that would need to be included in the HOA From Hell analogy. In this approach to cybersecurity, the HOA may mandate that all residents keep their doors unlocked all the time -- or even secretly retain a key to all their homes -- so the HOA can enter without notice more easily. All those unlocked doors are just an invitation for theft and other crimes, though. One thing Ron Wyden has pushed for in his efforts to improve cybersecurity is a prohibition on the government requiring companies to install back doors into their customers' accounts, but the intelligence committee voted down that effort, 3-12.
Also, under the HOA From Hell model of cybersecurity, homeowners would lose their ability to hold their HOA accountable if it did something wrong, perhaps took your silver while it was making sure no burglars were in your home. As Wyden argued, "The bill also creates a peculiar double standard, in that personal information about individual consumers can be used for a variety of non-cybersecurity purposes, including law enforcement actions against those consumers, but information about the companies supplying the information generally may not be used to regulate those companies."
And finally, the HOA From Hell model of cybersecurity permits immunized private entities to take "defensive measures" (in previous iterations of the bill, the same thing was called "countermeasures") to protect their own networks and those of customers who've given that unread written consent in the TSAs. An HOA that is reckless in responding to something that it perceives as an intrusion could do real damage to one of the homeowners who belongs to the HOA. When self-appointed neighborhood watch vigilante George Zimmerman saw African-American teenager Trayvon Martin wearing a hoodie in his neighborhood, for example, he assumed Martin was one of the burglars who had been plaguing the neighborhood, and ended up pursuing and ultimately killing Martin, who in reality was a visitor welcomed to the neighborhood by one of the homeowners.
A group of tech experts who raised concerns about CISA and similar bills pointed to this problem of false positives -- the possibility "that innocent behavior will erroneously be classified as a threat" -- as one of the key dangers of the bill. Using Burr's analogy of a neighborhood watch, the Martin example shows that this danger of false positives, accompanied by "defensive measure" permissions, can be truly dangerous.
HOAs -- and, by analogy, your online service providers -- serve a purpose, running things more efficiently and keeping the throughfares cleared. But that doesn't mean the government should grant them vast powers to replace cops and general neighborhood awareness. Nor does it mean their powers and protections should override the protections of homeowners who live in the neighborhood.
But that's the dystopian model of a neighborhood watch from hell that Richard Burr wants to roll out in your online neighborhood.