CISPA Moves To the House Floor, Still Deeply Flawed
The House of Representatives will take up the Cyber Intelligence Sharing and Protection Act (CISPA, H.R. 624) on Wednesday, April 17. While the House Intelligence Committee improved the bill at mark up last week, the fact remains: CISPA could shift control of the federal government’s cybersecurity program for the private sector to a secretive military intelligence agency. Such a shift would be a sea change in cybersecurity policy and a threat to civil liberties.
Militarizing Cybersecurity and Putting It Behind the Intelligence Curtain. The federal government’s cybersecurity program for the private sector (other than defense contractors) has always been in civilian, not military hands. This is important because civilian control means more transparency and accountability. This builds trust, public acceptance and industry participation. Last year, the lead Senate cybersecurity bill (the “Lieberman bill”) would have clearly affirmed civilian control. The Administration endorsed the Senate bill as did the intelligence community. CISPA is the outlier on this issue: It declines to affirm civilian control and would thereby allow power and leadership to shift to the National Security Agency. It does this by inviting companies to share cyber threat information with the government agency of their choice. Many will choose NSA (in large part because they don’t think DHS has sufficient expertise, which has gone to NSA). With the flow of information will likely come increased power and increased resources, worsening the reliance on NSA and further diminishing the standing of DHS.
CISPA’s threat to civil liberties and privacy does not stop there. The bill’s flaws include:
- Permitting companies to share cyber threat information with the government without making any effort to strip out personally identifiable information that is not necessary to describe the cyber threat;
- Permitting companies to “hack back” by immunizing them from civil and criminal liability even if they make reckless and negligent decisions based on cyber threat information shared or obtained under the bill; and
- Pre-empting all privacy laws (and all other laws) to permit information sharing.
At its mark-up, the House Intelligence Committee made some improvements to CISPA. The most important would bar the government from using for unrelated national security purposes the cyber threat information companies share with it for cybersecurity purposes. This change was critical. However, the bill still falls short. CDT opposes the legislation for the reasons outlined above and explained below.
Military vs. Civilian Control. Instead of giving the lead to the Department of Homeland Security, a civilian agency charged with cybersecurity responsibilities for the private sector, CISPA marginalizes DHS. In fact, at mark-up the bill got worse on this issue. Under an amendment the Committee adopted, the Director of National Intelligence – not the Secretary of DHS – sets the information sharing rules for federal agencies throughout the government, and any civil liberties protections they might include. This affirms the shift of control of the cyber security program toward intelligence and military control, and away from the more transparent and accountable DHS.
Overbreadth of Information To Be Shared. The Intelligence Committee rejected an amendment by Rep. Adam Schiff (D-CA) to require companies to take reasonable steps to remove personally identifiable information irrelevant to a cyber threat before sharing cyber threat information with the government or with each other. This amendment seems reasonable. Indeed, the industry representatives who testified at the Intelligence Committee hearing on CISPA said that complying with such a requirement would not be onerous and would be technically feasible.
Instead of requiring companies to take reasonable steps to remove irrelevant PII before they share cyber threat information, the Intelligence Committee adopted an amendment that requires the Federal government to adopt information sharing policies and procedures that limit its own receipt, retention, use and disclosure of personally identifiable cyber threat information that is not necessary for cybersecurity purposes. While this is somewhat helpful, it misses the mark: the harm to privacy happens when personally identifiable information is shared unnecessarily with the government.
As amended, the bill also describes the information to be shared too broadly. Such information need only “pertain” directly to four categories of cyber threats. This invites over sharing.
Hack back. It goes without saying, but a cybersecurity bill should not protect conduct that threatens cybersecurity. But, CISPA does.
CISPA grants companies immunity in civil and criminal cases for “decisions made for cybersecurity purposes” based on cyber threat information they receive under the bill. If, for example, a company responds to a suspected cyber attack by recklessly or negligently causing damage to a computer server it errantly believes was used in the attack, the person or entity victimized would have no civil remedy and the government could bring no criminal case under the Computer Fraud and Abuse Act, 18 USC 1030. Companies that hack back only lose their “decisions made” immunity if they fail to act in good faith, including for an “act or omission taken with intent to injure, defraud, or otherwise endanger any individual … or entity ….” In other words, if a company makes a decision (or, it appears, takes an action) based on cyber threat information received under the bill, and in taking that action negligently or recklessly damages another, it is immune from civil or criminal liability for doing so. Rep. James Langevin’s (D-RI) amendment, adopted by the Intelligence Committee, was intended to prevent companies from hacking back, but it addresses only part of the problem. As introduced, CISPA permitted companies to “use cybersecurity systems” on the networks of others to identify and obtain cyber threat information. The Langevin amendment limits company authority to “use cybersecurity systems” to the company’s own network, or to the network of a company it was hired to protect. Rep. Langevin’s amendment improves the bill, but it does not fix hack back because it leaves intact liability protection so broad that it virtually invites reckless cybersecurity conduct that harms others. It also leaves in place the troublingly vague authority to “use cybersecurity systems” (defined, essentially, as “systems” used for cybersecurity purposes) to “identify and obtain” cyber threat information, notwithstanding any law that would otherwise proscribe such conduct.
Pre-empting all law. CISPA’s information sharing authorities pre-empt all laws. Instead of creating cybersecurity information sharing exceptions to existing privacy and other laws, CISPA pre-empts all of them. It does not even specify the laws it is overriding. This approach is almost sure to have unintended consequences. The Intelligence Committee did not vote on any amendment to remedy this problem.
Improvements. While we oppose CISPA for the reasons stated above, the Intelligence Committee made some improvements to the legislation, including key limits on use of information shared for cybersecurity reasons.
- National security use. As introduced, CISPA permitted Federal entities to use for national security purposes the cyber threat information that companies shared with them under the bill for cybersecurity purposes. The sponsors of the bill, Reps. Mike Rogers (R-MI) and Rep. Dutch Ruppersberger (D-MD), accepted the amendment by Rep. Terry Sewell (D-AL) to remove this dangerous authority from the bill and we commend them for making this significant improvement. Without this amendment, there was a risk that CISPA would operate as a backdoor wiretap by permitting information shared for cybersecurity reasons to be used for unrelated national security purposes. As amended, CISPA permits the federal government to use cyber threat information shared with it under the bill for cybersecurity purposes, to prosecute cybersecurity crimes, to protect against danger of serious bodily harm, and to protect children against child pornography, risk of sexual exploitation and serious threats to their physical safety. The serious bodily harm exception should be further narrowed by requiring that the harm protected against be “imminent.” Otherwise, there is a risk that cybersecurity threat information could simply to put into general purpose anti-crime data bases for protective uses.
- Company non-cyber use. The Intelligence Committee also adopted an amendment offered by Reps. Joe Heck (R-NV) and James Himes (D-CT) to require that companies receiving cyber threat information under the bill use it only for cybersecurity purposes. This, too, is a significant improvement.
- Information Sharing Policies and Procedures. The bill would require the DNI to establish information sharing policies and procedures. While requiring information sharing policies and procedures improved the bill, the rules that CISPA requires omit key protections in that they:
- Authorize the DNI, rather than DHS, to promulgate, oversee, and annually evaluate the rules for cybersecurity information sharing government-wide, further distancing the cybersecurity program from the more accountable and transparent DHS;
- Do not require destruction of information that the government receives under the bill that is not useful for cyber security;
- Do not require the Federal governmental entity sharing information with non-Federal entities to advise them that the information can only be used for cybersecurity purposes; and
- Do not require the Privacy and Civil Liberties Oversight Board to issue an independent analysis Instead of requiring PCLOB evaluate implementation of the information sharing rules, CISPA merely requires the DNI to consult with PCLOB in the development of those rules, and requires the DNI and DOJ civil liberties protection officer to consult with PCLOB about recommendations to their assessment of the civil liberties impact of the Federal government’s information sharing activities and their recommendations for mitigation. of: (i) use by private entities of cybersecurity systems to identify and obtain cyber threat information, (ii) disclosures of cyber threat information by private entities; (iii) the impact on privacy and civil liberties of the activities of Federal entities under the bill; and (iv) improvements and modifications in the law or in information practices that are needed to address civil liberties concerns.
- Annual privacy and civil liberties reports. The Intelligence Committee also adopted an amendment offered by Rep. Mike Thompson (D-CA) that would require the civil liberties officers of the DNI and the Department of Justice to issue annual reports to Congress assessing the privacy and civil liberties impact of the Federal government’s activities under the bill and to make recommendations to mitigate adverse privacy and civil liberties impacts.
Though the Intelligence Committee made improvements to CISPA, CDT opposes the legislation because it would shift control of the government’s cybersecurity program for private companies from civilian to military control, thus diminishing program transparency and accountability. The bill also fails to require companies to take reasonable steps to strip out irrelevant personally identifiable information before they share cyber threat information, pre-empts all law with uncertain results, and invites reckless and negligent cybersecurity decisions that could damage others’ networks.