Guide To Cybersecurity Information Sharing Act Amendments

The Senate is expected to resume consideration of the Cybersecurity Information Sharing Act (CISA, S. 754) on Monday, October 26.  Though a Managers’ Substitute to the bill made some improvements, CDT opposes the bill because it:

• Requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the NSA, other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill;
• Risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity;
• Authorizes cybersecurity “countermeasures” that would violate the Computer Fraud and Abuse Act and cause harm to others;
• Will have unintended consequences – it trumps all law in authorizing companies to share user Internet communications and data that qualify as “cyber threat indicators;”
• Does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities.

None of the pending amendments will fix these fundamental flaws in the legislation. However, rejection of the Cotton amendment, and adoption of the other pending amendments, would diminish some of the damage the bill would do to privacy. We explain why below, addressing the amendments in the order they will be considered on the Senate floor.

Amendments the Senate Should Adopt

S, Amdt. 2621, Sen. Ron Wyden (D-OR): Requires all entities sharing CTI’s to remove PII (personally identifiable information) not necessary to describe or identify a cyber threat. Adoption of this amendment is a CDT priority.

The amendment would require all entities sharing cyber threat indicators under the bill, “to the extent feasible,” to remove any personal information of or identifying a specific individual “not necessary” to describe or identify a cybersecurity threat. Currently, the bill only requires entities to remove PII when they “know” it is not “directly related” to a cybersecurity threat. That standard would virtually ensure that a huge amount of PII would be shared without advancing the cybersecurity purpose of the bill.

• The amendment is a good fix to the problem of unnecessary sharing of PII along with cyber threat indicators. It effectively shifts the default presumption in the bill to removal of PII from the current presumption in favor of including it when the sharing entity does not “know” it is “relevant.”
• It is more thorough than is the Heller amendment, which would impose such a duty only on the Department of Homeland Security before it shares cyber threat indicators.
• The amendment also provides an appropriate degree of flexibility for companies because it only requires them to remove unnecessary PII “to the extent feasible.”

S. Amdt. 2548, Sen. Dean Heller (R-NV): Requires federal entities to remove PII if they “reasonably believe” it is not directly related to cybersecurity.

• Should the Wyden amendment (which will be considered first) fail, Senators should approve the Heller Amendment. It strengthens the requirement to remove PII, but only for federal entities and therefore is only half a fix. Damage to privacy is done when a company needlessly shares its users’ PII with the Federal government; current bill text promotes this result and the amendment does not prevent it.
• It would, however, require federal entities to remove PII that that they “reasonably believe” (rather than “know”) is not directly related to a cybersecurity threat before sharing that information.
• Requiring a federal entity to strip CTIs of PII before sharing them if they reasonably believe the PII is unrelated to a cybersecurity threat is a good start to ensuring that individuals’ privacy is not needlessly compromised in the course of information sharing. It is an improvement to the current bill, as the bill’s language may lead federal entities to share all PII associated with a CTI because they cannot be certain that they “know” the information is not directly related to a cybersecurity threat.

S. Amdt. 2587, Sen. Patrick Leahy (D-VT): Removes the Act’s blanket FOIA exemption.

The amendment removes the Act’s exemption of information shared with the federal government pursuant to the Act from Freedom of Information Act (FOIA) requests.

• CISA’s FOIA exemption would be the most far-reaching broadening of the FOIA’s exemptions since 1986.
• This is unnecessary, given that most, if not all, information shared under the bill would already qualify for protection under existing FOIA exemptions. For example, the bill already notes, in section 5(d)(2), that a CTI or defensive measure provided by an entity to the Federal government will be considered the commercial, financial, and proprietary information of such entity, which is exempt from FOIA disclosure. Furthermore, the bill separately states in section 5(d)(3) that such information will also be deemed voluntarily shared information and exempt from disclosure.
• The House Intelligence and Homeland Security Committees removed this exemption from their cybersecurity bills because of its redundancy.

S. Amdt. 2582, Sens. Jeff Flake (R-AZ) and Al Franken (D-MN): Implements a 6-year sunset and provides liability protection to those who share information before sunset occurs.

Under the amendment, CISA’s provisions would sunset in six years, after which Congress would have the chance to assess the efficacy of the bill and amend it as needed during the reauthorization process. The amendment would extend liability protection to private entities that share information prior to the sunset date – a provision not included in the House bill.

• The cyber threat landscape is constantly evolving, so having a sunset that requires Congress to reconsider the legislation after it has had a chance to work is appropriate.
• The sunset will likely make DHS and other entities in the information sharing program more transparent about what they are doing with the authority granted, particularly when they return to Congress to get that authority re-authorized and tweaked.
• This sunset provision is shorter than the sunset provisions in the House Bill, H.R. 1560, which sunsets in seven years. While a four-year sunset would be most appropriate as it would prompt a more timely review, the six-year provision in the bill is adequate.
• It would be unfair to companies to remove liability protection from CTIs they share prior to the sunset date, and would discourage such sharing altogether. The sunset provision addresses this problem properly.

S. Amdt. 2612, Sen. Al Franken (D-MN): Narrows definitions of cybersecurity threats and cyber threat indicators.

The amendment tightens up the definition of “cybersecurity threat” by limiting that definition to actions that are “reasonably likely to” (as opposed to “may,” as in the pending bill) adversely impact the security, availability, confidentiality, or integrity of information or an information system. In addition, the provision would limit an aspect of the definition of “cyber threat indicator” to include only information necessary to describe actual harm (not “potential harm,” as in the original bill) caused by an incident. The amendment also changes the “catch all” in the CTI definition, but it is not clear that this change will have any effect.

• Tightening the definition of “cybersecurity threat” is important because that definition triggers other authorities in the bill. For example, companies can monitor their networks for “cybersecurity purposes” which include protecting the network against cybersecurity threats. Imposing a “reasonable likelihood” requirement means that unnecessarily intrusive monitoring is not privileged. Likewise, the bill authorizes companies to operate countermeasures (“defensive measures”) against “cybersecurity threats,” so properly scoping that definition reduces the likelihood that improper countermeasures will be deployed.
• The amendment would also limit the sharing of information to instances that are actually likely to identify a cyber threat or the harm resulting from it. This would not only do more to protect privacy – it would also improve the accuracy and utility of information shared through the program by reducing the amount of irrelevant information shared.

S. Amdt. 2552, Sen. Chris Coons (D-DE): Requires DHS to remove PII not necessary to identify or describe a cybersecurity threat before sharing a CTI; gives DHS time, when necessary, to apply privacy protective measures to the automated information sharing envisioned in the bill.

• This 11-page amendment requires DHS to remove any PII not necessary to identify or describe a cybersecurity threat before DHS shares a CTI with other Federal entities. It also permits necessary delays before CTIs are shared with other Federal entities.
• While it requires DHS to be able to receive CTIs in real time, it requires that DHS share CTIs with all appropriate Federal entities “as quickly as operationally possible” as opposed to “in real time.”
• Requiring DHS to remove PII not necessary to describe a cybersecurity threat, and giving it the time that it needs to do so, before sharing CTIs with other entities, helps ensure that personal information is not needlessly shared with the NSA, the FBI and others. It replaces an unrealistic provision in the manager’s substitute that would require the heads of seven huge Federal entities to agree unanimously to such delays.
• The amendment provision requiring that the Attorney General guidelines identify types of information that would qualify as a CTI that would be unlikely to include personal information “not necessary” to describe a cybersecurity threat, already appears in the Managers’ Substitute.

Amendment the Senate Should Reject

S. Amdt. 2581, Sen. Tom Cotton (R-AR): Permits companies to share cyber threat information with the FBI and Secret Service. Defeat of this amendment is CDT priority.

The amendment permits private entities to communicate cyber threat information and defensive measures to the FBI and Secret Service, in addition to the permission the bill already gives them to share CTIs with: (i) the Department of Homeland Security; (ii) their federal regulator (if any); and (iii) a federal entity regarding a previously shared CTI.

• Allowing, and privileging, information sharing with the FBI and Secret Service would raise serious privacy concerns because these entities’ missions center around criminal investigations, not cybersecurity. Companies already have ample legal authority to share information that is evidence of crime with the FBI and the Secret Service. The bill includes a provision making it clear that nothing in the bill diminishes that authority.
• Extending the ability to share CTIs with the FBI and Secret Service would undermine the DHS cybersecurity mission by encouraging companies to share CTIs with entities other than DHS, the lead agency in civilian cybersecurity. DHS has cautioned that allowing companies to share CTIs with any agency they choose would complicate the information sharing program and undermine its ability to protect the privacy of the Internet users whose communications data would be shared.