CISA is the opposite of cybersecurity.
Blanket immunity rewards security incompetence.
There are many ways a cybersecurity bill could protect us against foreign hackers. Congress could require government contractors to upgrade from outdated systems like Windows XP, or require companies to notify customers about security vulnerabilities if they can't be fixed within a reasonable amount of time. Basic security hygeine standards around storage of private user data could be established. Unfortunately CISA does none of these things, because government agencies and corporate lobbyists don't want to actually invest in network security. Instead, CISA lets companies get off the hook for the worst types of privacy violations, as long as they share data with the government.
Sharing data with the government puts us all at more risk.
CISA will put more private data in the hands of a staggeringly wide array of government agencies. Agencies like the Department of Commerce, the Department of Energy or the IRS are not equipped to safeguard this data—in fact, all of these agencies have been recently breached. How would giving more private sector data to the U.S. government protect our cybersecurity when these government agencies can't even protect the data they already have?
The FTC already has authority to regulate cybersecurity.
Cyber attacks aren't magic and hackers aren't wizards. Many of the biggest breaches could have been prevented if companies employed basic operational security measures, but companies have too much data and they're not taking security seriously. The FTC has the legal authority to investigate privacy breaches and impose fines and sanctions on companies in cases of negligence. The government already does it for oil spills, why not cybersecurity breaches? If companies faced strict penalties for exposing customers to identity theft, they would actually invest in security. This alone would stop hackers more than CISA ever could.