CISPA: Progress, But Flaws Remain
Written by Leslie Harris
In response to concerns that CDT and others raised, the House Intelligence Committee has agreed to support several important privacy improvements to the Cyber Intelligence Sharing and Protection Act (CISPA). Other issues we raised—the flow of Internet data directly to the National Security Agency (NSA) and the use of information for purposes unrelated to cybersecurity—are not addressed by the amendments the Committee is supporting. We support amendments to address these unresolved concerns.
Improvements Supported by the Committee
1. On the question of intellectual property and whether CISPA is some kind of backdoor SOPA, the Committee made changes in its April 16, 2012 discussion draft that we think should put that issue to rest.
2. On the definition of the information that ISPs and others can share with the federal government (“cyber threat information”), the Committee has agreed to support a proposed amendment making improvements. In particular, the proposed amendment deletes language that encompassed “information pertaining to the protection of a system or network.” The new definition is limited to “information directly pertaining to” a vulnerability, a threat, an effort to degrade, disrupt or destroy a system or network, or an effort to gain unauthorized access to a system or network. This is an important change. We believe it would preclude interpretation of the bill to permit the sharing of entire communications streams with the government.
3. Another concern we raised with respect to the definition of the information that could be shared was whether the reference to “efforts to gain unauthorized access” in the bill’s definition of “cyber threat information” could include conduct such as using a social networking site in violations of its terms of service. The Committee has agreed to support an amendment to make it clear that cybersecurity threats do not include actions solely involving violations of consumer terms of service or licensing agreements.
4. Another improvement the Committee previously made may bring some valuable oversight to the implementation of the bill – the bill includes a provision requiring the Inspector General for the Intelligence Community to conduct an annual review of, and file an unclassified report on, the use of cyber threat information for non-cybersecurity purposes, on other actions taken on the basis of shared information, and on the privacy and civil liberties impact of the information sharing authorized under the bill.
5. Another improvement in the bill is language specifically stating that the Federal government may not affirmatively search cyber threat information shared with the government except for cybersecurity and national security purposes. This would prevent data mining for law enforcment purposes of cybersecurity information shared with the government by the private sector.
6. The bill uses the term “cybersecurity systems,” stating that service providers can use “cybersecurity systems” to identify and obtain cyber threat information, which can then be shared automatically with the government. We believe that “cybersecurity systems” is vaguely defined. We supported more explicit language authorizing system operators to monitor their systems and networks. In particular, we were concerned that “cybersecurity systems” included the government’s EINSTEIN systems, designed with the aid of NSA. To address specifically our concern about EINSTEIN, the Committee is supporting an amendment that would make it clear that the bill does not authorize use of EINSTEIN on private sector networks. This is an important improvement.
The Committee has also agreed to support an amendment making it clear that the liability protection afforded to private companies related to using cybersecurity systems extends only to using those systems to identify and obtain cyber threat information.
8. The Committee has agreed to support an amendment requiring the government to notify an ISP or other entity when it is providing information that exceeds the definition of cyber threat information. As a practical matter, once so notified, the private sector entity cannot continue disclosing such extraneous data to the government. The amendment would also make it clear that the government cannot retain or use information for any purpose not authorized by the statute, but the breadth of use permitted is broad, as we explain below.
9. The bill includes a provision stating that the Federal government cannot require a private entity to share information with the government and cannot condition the sharing of the government’s cybersecurity information with a private entity on that entity’s providing information back to the government.
Fundamental Flaws Remain
1. In terms of who the information can be shared with, the amendment allows information to flow from ISPs and other service providers directly to the NSA. This is a fundamental remaining concern, since the bill could result in the NSA having a wider window into traffic on private sector networks.
2. The bill allows the information that the private sector shares with the government to be used for national security purposes unrelated to cybersecurity. This, too, is a remaining fundamental concern for us.
In sum, good progress has been made. The Committee listened to our concerns and has made important privacy improvements and we applaud the Committee for doing so. However, the bill falls short because of the remaining concerns – the flow of internet data directly to the NSA and the use of information for purposes unrelated to cybersecurity. We support amendments to address these concerns. Recognizing the importance of the cybersecurity issue, in deference to the good faith efforts made by Chairman Rogers and Ranking Member Ruppersberger, and on the understanding that amendments will be considered by the House to address our concerns, we will not oppose the process moving forward in the House. We will focus on the amendments and subsequently on the Senate.