The term “cybersecurity” has long been a comically ubiquitous utterance in Washington. But recent proposals from Congress, the White House and the intelligence community are straining the word’s meaning to dubious ends. For most Americans, cybersecurity is the protection we desperately need in response to the dwindling separation between our physical and digital lives. Two-thirds of Americans now carry pocket-size computers full of intimate data that are connected to the Internet at all times, and cars, refrigerators and thermostats are not far behind. After a year of high-profile hacks — from the crippling compromise of Sony Pictures to major intrusions at Target, Home Depot and most recently the health insurance giant Anthem — who would say no to cybersecurity? But D.C.’s cybersecurity rhetoric is a political smokescreen. Though based on real threats, its purpose is to rally support for sweeping policies such as the Cyber Information Sharing Act (CISA), Congress’ latest attempt at cybersecurity legislation, that merely enable more surveillance.

Redundant and ineffective

What CISA proposes is nothing new; in fact, it’s the same controversial plan that members of Congress have been pushing for years. Rather than protect average Americans’ data by creating liability for companies that fail to follow standards or investing in better security technologies, the bill would establish a system in which private companies share threat information with the government, including personal information collected from users. The many previous versions of this sharing program have been called a privacy nightmare, and the current iteration is pretty much a carbon copy. It allows private companies to share any information deemed to be an indicator of a cyberthreat (called a signature) — free of liability and without any guarantee that a review process has taken reasonable steps to remove personal information beforehand. Once shared, the National Security Agency will be able to access all the data in real time, and law enforcement agencies will be allowed to retain and use it for a broad set of purposes, not just imminent threats to life and limb. The bill even gives companies permission to retaliate against hackers, as long as they don’t intentionally damage another U.S. entity’s computer systems in the process. (Foreign systems are fair game.) How, exactly, would this improve cybersecurity? Perhaps unsurprisingly, the logic is almost identical to that of the U.S. government’s counterterrorism strategy. The thinking goes that if the government and the private sector were able to more quickly and easily share cyberthreat information, they could learn about the attackers’ tools and techniques, respond to breaches faster and perhaps even deter attacks. But experts overwhelmingly agree that such information sharing would be redundant and ineffective. In a Feb. 25 Christian Science Monitor poll of top cybersecurity thinkers, 87 percent said that information sharing would not significantly reduce data breaches. That includes Dan Geer, the chief information security officer at In-Q-Tel, the Central Intelligence Agency’s dedicated venture capital arm. Speaking with The Christian Science Monitor, he noted that cyberthreat-sharing programs already exist to such an extent that “the U.S. government has nothing to add unless it wants to just give all the [companies’] chief information security officers a clearance — which, incidentally, they have largely done for the bigs but not for the littles.” “This is why government threat signature sharing initiatives are such a nothing-burger,” one Silicon Valley executive told CNBC last week. “The signatures are of limited value and only a few select companies with clearances can actually use them.” Jeff Moss, a member of the White House’s Homeland Security Advisory Council and the founder of the hacker conference Def Con, had a similar response to the poll, saying, “Information sharing allows better and faster Band-Aids but doesn’t address the core problem.” Geer said, “The big data breaches are so often the result of not paying attention by the victim.”

We’re not going to become more secure simply by letting the FBI and NSA spy on everything.

Which raises the question, If the U.S. government really wants to protect Americans from security breaches, why does it coddle giant corporations when they are hacked instead of enforce stricter security practices and hold companies liable when they unnecessarily put their customers at risk? The Sony Pictures hack, which the FBI controversially claimed was perpetrated by North Korea, was immediately politicized in Washington as an attack on free speech. Yet individuals and civil society organizations that regularly face state-sponsored attacks, including refugees escaping oppressive governments, receive no such support. Meanwhile, companies use terms of service and license agreements to absolve themselves of any responsibility when customer data they are entrusted with is stolen, even when the breach could have been prevented or mitigated by taking simple precautions.

Privacy at risk