How do you kill a zombie bill like CISA? Grassroots action. That's why EFF and over a dozen other groups are asking you to join us in a Week of Action to Stop CISA. The Senate is likely to vote on the Cybersecurity Information Sharing Act (CISA) in the coming weeks, and only you can help us stop it.

We keep hearing that CISA and the other "cybersecurity" bills moving through Congress are “must-pass” legislation. But just like the original version of CISA, the Cyber Intelligence Sharing and Protection Act (CISPA), we think grassroots activism can stop this legislation in its tracks.

CISA is fundamentally flawed because of its broad immunity clauses for companies, vague definitions, and aggressive spying powers. Combined, they make the bill a surveillance bill in disguise. The bill may even make things worse for Internet users in several ways. That’s why we’re launching a week of action to make sure Congress is getting the message loud and clear: CISA must not pass.

The Week of Action

EFF and our allies have been hard at work fighting Congress’ cyber surveillance bills. But the most important voices are yours. Here’s how to help:

Visit the Stop Cyber Spying coalition website where you can email and fax your Senators and tell them to vote no on CISA. Use a new tool developed by Fight for the Future to fax your lawmakers from the Internet. We want to make sure they get the message. Check out our AMA on Reddit on Wednesday July 29 at 10am ET/7am PT with EFF, Access, Fight for the Future, and the ACLU and let your friends know about it. Help us spread the word. After you’ve taken action, tweet out why CISA must be stopped with the hashtag #StopCISA. Use the hashtag #FaxBigBrother if you want to automatically send a fax to your Senator opposing CISA. If you have a blog, join us by publishing a blog post this week about why you oppose CISA, and help us spread the word about the action tools at https://stopcyberspying.com/. For detailed analysis you can check out this blog post and this chart.

With your help, we’ll make sure Congress gets the message: now more than ever, we don’t need more cyber surveillance. We need better security. CISA must be defeated because it may make things worse for Internet users in several ways:

New and Invasive Tools for Companies

CISA allows companies to monitor their information systems for broadly-defined threats. Moreover, and equally alarming, the bill authorizes companies to launch countermeasures against perceived attackers, without any safeguards. While it prohibits measures that cause “substantial harm,” it’s unclear exactly what substantial is, leaving open the possibility of measures that cause a significant degree of harm. A letter sent in March by over 25 groups opposing CISA pointed out that, “CISA permits companies to recklessly deploy countermeasures that damage networks belonging to innocent bystanders.”

Overbroad definitions

As if the new authorities weren’t enough, the bill’s broad definitions grant companies even more discretion to decide when to go on the offense against perceived threats. For example, "cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of information or an information system.

Cyber surveillance (with the help of the NSA)

Not only does CISA grant companies more power to obtain “cyber threat indicators" and to disclose that data to the government without a warrant—it requires real time sharing of that information to military and intelligence agencies, including the NSA. In other words, cyber threat indicators shared with any agency would be automatically shared with the NSA—all without requiring companies to strip out personally identifying information.

To make matters worse, CISA grants the government too much discretion in how to use the information for non-cybersecurity purposes. It also contains exemptions to the Freedom of Information Act, which will keep the public in the dark about what information is being collected, shared, or used.

Near-Blanket Immunity

Finally, CISA would create incredibly broad immunity for companies that engage in any of the activities authorized by the bill. This is especially concerning because of the bill’s lack of protection for private information and the ability to launch countermeasures. Any company that merely does significant (but not “substantial”) harm to innocent people or machines will not be liable in court.

Participating organizations (updated on a daily basis throughout the week)