The Senate is expected to consider the Cybersecurity Information Sharing Act (CISA) (S. 754) on the Senate floor this week. The managers of the bill released a manager’s amendment on July 31 that makes some important changes to the bill, but that leaves key privacy and security concerns that CDT identified unaddressed or insufficiently addressed. In short, there are some important and some partial fixes and we describe some of them below and illustrate them in this redline. Huge problems remain.
Limits on Surveillance Authorities
We have criticized CISA as a surveillance bill in cybersecurity clothing because the bill authorizes the government to use information shared with it for cybersecurity purposes for criminal investigations that have nothing to do with cybersecurity. Instead of having to get a warrant to compel companies to turn over Internet user communications content to be used in a criminal investigation, CISA authorizes the companies to share such content when it qualifies as a “cyber threat indicator.” It also permits the companies to share this information not just for cybersecurity purposes, but for any purpose permitted under the bill, including to prosecute crimes unrelated to cybersecurity.
The manager’s amendment partially addresses these concerns in two important ways. First, it permits companies to share cyber threat indicators (CTIs) only for a “cybersecurity purpose.” “Cybersecurity purpose” means the purpose of protecting information or an information system from a cybersecurity threat or a cybersecurity vulnerability. Section 2(4). “Threats” and “vulnerabilities” are defined broadly. While one might prefer a tighter purpose restriction, this is a significant improvement to the bill.
Second, it strikes a reference to 18 USC 3559(c)(2)(F), which permitted the government to use CTIs to investigate certain felonies unrelated to cybersecurity, including car jacking and drug running with a gun. Section (5)(d)(5)(vi). This is a significant improvement. However, the bill still permits the government to use CTIs to investigate and prosecute crimes of espionage, identity theft, censorship, and trade secrets violations. The manager’s amendment improves the bill by limiting government use of CTIs to prosecute crimes, but the improvement falls short of a full fix.
We have criticized CISA for authorizing cybersecurity “countermeasures” (euphemistically re-named “defensive measures”) on one network that cause harm to another network or to data on another network, including countermeasures that run afoul of the federal anti-hacking statute, the Computer Fraud and Abuse Act. 18 USC 1030. The manager’s amendment takes one step forward on countermeasures, and one step back. The amendment makes it clear that countermeasures operating on one network that provide unauthorized access to data on another network are not permitted. Section 2(7)(B). This is a significant step forward because much of the off-network harmful effects of countermeasures cannot occur absent unauthorized access.
On the other hand, the manager’s amendment makes it abundantly clear that the countermeasures the bill authorizes need not operate on one’s own network – they can operate on somebody else’s network or data. It does this by striking the language in the bill that permitted entities to “operate” countermeasures “on” only their own networks or on networks of consenting entities. Section 4(d)(3)(A)(i). Instead, companies are authorized to operate countermeasures that are “applied to” their own networks and data, regardless of whether they operate on the company’s own network or data, or on that of a non-consenting party. Though this makes the section consistent with another part of the bill that authorizes operation of countermeasures (Section 4(b)(1)), itis a step backwards. The bill permits countermeasures operated on one network to cause harm on another network – or to data on another network – so long as the harm is not substantial. We believe the countermeasures authorization is unnecessary and should be removed. If it is not removed, it should, at a minimum, be amended to permit only those countermeasures that do not run afoul the CFAA.
Role of DHS
We have been concerned that the legislation will marginalize the Department of Homeland Security (DHS) by permitting companies in the civilian private sector to share CTIs directly with the NSA, Cyber Command, and with other elements of the DOD and the intelligence community. While the manager’s amendment does not address this problem directly, it enhances the DHS role in the government’s cybersecurity program by directing both DHS and the Department of Justice (rather than the DOJ acting alone) to issue the policies and procedures that govern the sharing of CTIs.
The manager’s amendment leaves unresolved many of the problems we have identified in the bill. We are hopeful that the procedures the Senate adopts for consideration of the bill permits amendments to address the problems above, as well as:
- Strengthen the requirement to remove personal information by requiring removal of such information unless the entity sharing it reasonably believes the personal information is necessary to describe or mitigate a cybersecurity threat;
- Permit companies in the private civilian sector to share CTIs only with the Department of Homeland Security, as opposed to with the NSA and any other agency of the federal government;
- Ensure that the requirement to share CTIs within the government permits sufficient flexibility and time for the sharing entity to apply privacy protective procedures; and
- Address the cybersecurity-related conduct of the NSA by prohibiting the NSA from stockpiling “zero day” vulnerabilities, and instead, require the NSA (with limited exception) to share those vulnerabilities with the companies that can patch them.