Incorporated into the 2,009-page omnibus spending bill released late Tuesday night is the Cybersecurity Act of 2015, a cyber information sharing bill based primarily on the Senate’s Cybersecurity Information Sharing Act (CISA-S.754). The House Homeland Security Committee’s version of the legislation (H.R. 1731) – which generally offered more privacy protections – was largely pushed aside in secret, backroom negotiations on the cybersecurity information sharing bills, including the House Intelligence Committee’s version, H.R. 1560.
Following is a summary of key privacy and civil liberties problems in the Cybersecurity Act of 2015:
- Threatening Civilian Control of the Cybersecurity Program, and its Cybersecurity Focus: The Cybersecurity Act of 2015 authorizes companies to share cyber threat indicators with any federal agency notwithstanding any law. This broad authorization, drawn from the Senate version of the legislation, threatens civilian control of the cybersecurity program for private civilian entities because it permits them to share information directly with the NSA, Cyber Command, and other elements of the Department of Defense. While companies receive liability protection only for the information they share with DHS and with non-Federal entities, the bill allows the President to later designate other “appropriate” civilian Federal entities as information sharing portals, leaving room for scenarios in which companies would share – with full liability protection – information derived from Internet users’ communications directly with Federal entities such as the FBI and other agencies primarily concerned with law enforcement surveillance, not cybersecurity.
- Surveillance v. Cybersecurity: Information shared for cybersecurity reasons should be used for cybersecurity purposes, but this legislation does not impose this simple requirement. Unlike the House Homeland Security Committee’s bill, the Cybersecurity Act in the omnibus spending bill permits information shared under the bill to be used for a myriad purposes completely unrelated to cybersecurity, including prosecuting espionage and trade secrets violations and other crimes. Remarkably, it made CISA’s overly permissive use restrictions even more permissive: Under CISA, the information shared could be used for purposes of responding to or mitigating an imminent threat of death, serious bodily harm, or serious economic harm. In the Omnibus, “imminence” of harm is no longer required, which opens the door for the FBI to pool the cyber threat indicators it receives under the legislation and repeatedly mine it to investigate activity unrelated to cybersecurity that may not even constitute a crime, and that does not pose any immediate threat. This makes the legislation seem as much a surveillance as a cybersecurity bill.
- Weak Requirements To Remove Personal Information: Entities should be required to remove any personal information not necessary to identify a cyber threat before sharing an indicator of the threat. Such a requirement advances both privacy and cybersecurity because it decreases the sharing of useless, irrelevant information. Instead of including this language, or even weakened versions of it, the Cybersecurity Act of 2015 merely requires governmental and private entities to remove information they know to be personal information not “directly related” to a cybersecurity threat. Such language will encourage entities to err on the side of sharing sensitive information when in doubt. In addition, the Cybersecurity Act of 2015 may leave DHS insufficient time to remove personal information before sharing within the government, even when it knows the personal information is not directly related to a cybersecurity threat. DHS must share cyber threat indicators with all appropriate federal entities in real-time, and the bill only permits delays due to controls agreed upon unanimously by all heads of the appropriate federal entities. Thus, the bill turns what should be an operational decision made by a technician on the ground on a case-by-case basis into almost a cabinet-level policy decision that, frankly, will never be made.
- Cybersecurity Countermeasures That Harm Others: Cybersecurity legislation should not authorize cybersecurity countermeasures that cause harm to others’ data, networks, or connected devices. Such legislation warrants strong opposition. Unfortunately, the Cybersecurity Act of 2015 permits “defensive measures” that seem rather offensive: they are permitted even if they cause some harm to another network, or to data stored on another network, so long as the harm is not “substantial.” Fortunately, the Cybersecurity Act adopted language from CISA that somewhat alleviates this concern by prohibiting countermeasures that provide unauthorized access to another system (or data on another system). It will be up to the courts to determine what measures are permitted or prohibited by clarifying what constitutes “unauthorized access” and what harms are so “substantial” as to be unlawful.
- Notice: The Cybersecurity Act requires the government to notify, in a timely manner, any U.S. person whose personal information is shared by a federal entity in contravention of the bill. This is a positive development, but notice should not be limited to U.S. persons. Moreover, notice should also be required when non-federal entities share personal information in contravention of the bill.
- Sunset: The Cybersecurity Act adopted CISA’s ten-year sunset provision, rather than the seven-year sunset that appeared in both of the House versions of cybersecurity information sharing legislation. While it is better than no sunset at all, ten years is too long for Congress to wait before examining whether the legislation is effective or is being misused.
Overall, the “compromise” that lawmakers came up with took the bad parts of the three bills on the table and, in many cases, made them worse. Unfortunately, the Cybersecurity Act of 2015 will probably become law, because any “nay” votes at this stage would be against the entire budget deal. There are, however, significant privacy costs built into this legislation.
There are, however, significant privacy costs built into this legislation.