[Editors Note: This is one in a of series of blog posts from CDT on the Cybersecurity Act, S. 3414, a bill co-sponsored by Senators Lieberman and Collins that is slated to be considered on the Senate floor soon.]
Senate Republicans plan to push an alternative cybersecurity bill that raises fundamental civil liberties concerns. It permits ISPs and others to share broadly-defined cyber threat information with the federal government, it allows the information to be used for purposes unrelated to cybersecurity, and it permits the information to be shared directly with the National Security Agency (NSA), a military spy agency.
The Republican substitute will be a revised version of the SECURE IT Act (now numbered S. 3342, formerly S. 2151), introduced by Senator McCain and other Republicans. The original version of SECURE IT drew strong criticism in a May 14 letter from CDT and other privacy groups across the political spectrum. We said back then that the bill raised fundamental civil liberties issues, did not address concerns raised by the Cybersecurity Act, and was not a viable alternative to the leading bill, sponsored by Senators Lieberman and Collins.
SECURE IT supporters will no doubt argue that changes made to the bill adequately protect civil liberties while promoting cybersecurity. However, the new version of SECURE IT makes only modest privacy improvements, mainly through tightening definitions, clarifying government contractor obligations to share information, and requiring Inspectors General reports. However, the changes made merely nibble around the edges of more substantial flaws: SECURE IT is still a back-door wiretap bill.
Under SECURE IT, whenever a private company shares information with a civilian government agency, the civilian agency must immediately share it with all of the cybersecurity centers established in the bill, including NSA and DOD’s Cyber Command.
Adoption of the Republican substitute (SECURE IT) as a substitute for Lieberman-Collins would mark a substantial step backwards for civil liberties. Below, we explain the fundamental flaws in SECURE IT and explain how improvements made to the bill do not address these fundamental flaws. A comparison of the information sharing provisions of the two bills can be found in this chart.
I. Fundamental Flaws In SECURE IT
Under SECURE IT, companies may disclose “cyber threat information” to government cybersecurity centers, notwithstanding any other provision of law. This means that if a privacy law protects information by requiring a warrant for government access, that information could be shared without a warrant. One cybersecurity center would be located within the NSA and others would be in other elements of the Defense Department, in the Department of Homeland Security and in the Justice Department. All cyber threat information shared with any cybersecurity center would be shared immediately with the NSA and every other cybersecurity center even if the cyber threat indicator was unrelated to the overall mission of the entity.
Cybersecurity information sharing depends on trust, and trust, in turn, depends on transparency. The NSA, Cyber Command and other elements of the DOD operate in secrecy for good reasons. But this secrecy also means that companies that share information with the government will not know what the government does with it. Companies that provide services to the public will be particularly hard-pressed to explain why they share cyber threat information with the government and with NSA, and why their customers should be comfortable with such sharing, particularly in light of the NSA’s record of unlawful and unconstitutional surveillance, including in the Terrorist Surveillance Program a few years ago. The NSA recently stated that it couldn’t even estimate how many Americans were swept up in intelligence surveillance that is supposed to be focused on non-U.S. Persons abroad, and which was authorized in the 2008 FISA Amendments Act. Cloud providers to businesses are already worried about losing contracts to European firms over claims that the Patriot Act gives the U.S. government unwarranted access to information stored in the cloud. If SECURE IT is adopted, cloud providers will have a hard time assuring companies abroad that their information will not be turned over to U.S. intelligence agencies and used for national security reasons unrelated to cybersecurity.
Unlike the Lieberman-Collins bill and the Administration’s own cybersecurity proposal, SECURE IT permits the NSA to use cyber threat information for national security purposes completely unrelated to cybersecurity. Cyber threat information will often necessarily include personally identifiable information that can be used to attribute attacks to particular computers or people. It is appropriate, in our view, for NSA to use this information for cybersecurity purposes – to protect against attacks on DOD and intelligence agency information systems, and to protect classified information systems in the private sector. It is inappropriate, in our view, to put that information to unrelated uses, such as storing it in a huge data base and mining it for information to inform decisions about who to wiretap in the U.S., and whose data to collect with a super secret national security letter.
Some companies – particularly those defense contractors and others that are part of the Defense Industrial Base – already have cyber threat information sharing relationships with the NSA. Claims that these relationships would be upset by a requirement of civilian control of cyber security information sharing in the new cybersecurity legislation are false. Rather, the Lieberman-Collins bill specifically and explicitly preserves these relationships, and creates new information sharing authorities on top of those that already exist.
Finally, SECURE IT is fundamentally flawed because it allows information that private companies share with the government for cybersecurity reasons to be used for completely unrelated law enforcement purposes. Information shared under SECURE IT can be used to prosecute tax fraud, immigration violations, creating fake ID’s, and all of the other hundreds of crimes for which a wiretap order can be sought, and no warrant would be required in connection for any such use. Because it authorizes these broad law enforcement and national security uses, and promotes the flow of information directly from companies to the NSA, SECURE IT is fundamentally flawed, and is not a viable alternative to the Lieberman-Collins bill.
II. Modest Improvements In SECURE IT
The June 28 version of SECURE IT, S. 3342, made only modest improvements that do not address these fundamental flaws.
Limiting, Slightly, the Breadth of Shared Information. As introduced, “cyber threat information” that could be shared under SECURE IT even if another law would protect the information included all information which “may be indicative of or describe[s]” a cyber attack or other threat. The new version of SECURE IT tightens the definition by requiring that the cyber threat information “indicate or describe” such threats and attacks. This is a modest improvement. However, the Lieberman-Collins bill is superior because it more narrowly defines the information that can be shared and requires that it be “reasonably necessary to describe” the threat. That helps ensure that only true threat and attack information – and not everything else – is shared. In this way, SECURE IT still falls short.
Limiting the Breadth of Information Sharing Mandates Imposed On Contractors
As introduced, SECURE IT required government contractors to disclose cyber threat information they encountered if it was directly related to a government contract for cybersecurity, remote computing, or electronic communication services. It required such contractors to disclose this information even if they observed it on the network of another, non-governmental entity – a significant risk to privacy. No other leading cybersecurity bill, including CISPA and the Lieberman-Collins bill, mandates the sharing of threat information. Such mandates undermine the public-private partnership that is essential to a successful cybersecurity program and create a risk of “oversharing” information at the expense of privacy. The section was changed to require contractors to report only “significant cyber incidents” that a contractor discovers as a result of providing cybersecurity, remote computing or electronic communication service to the agency that would receive the report. Since “incidents” are narrowly defined and would have to have occurred on agency’s own network, the risk to privacy is minimized. This provision was significantly improved. It now essentially codifies what government agencies already require by contract: that companies with which an agency entrusts its information tell the agency when a cyber incident compromises the information.
Requiring Inspector General Review
The revised version of SECURE IT authorizes the Council of Inspectors General on Integrity and Efficiency to review federal agency compliance with the information sharing procedures, and to consider in their review the need to protect privacy and civil liberties. While this review is welcome, it compares poorly to the more robust, annual inspectors general reviews required in the Lieberman-Collins bill.
III. Still a Back-Door Wiretap
Despite these modest improvements, SECURE IT still allows far too much information to flow to the government, allows information to flow directly from companies in the private sector to the NSA and other elements of the Department of Defense, and allows shared cyber threat information to be used for non-cybersecurity purposes such as national security and law enforcement. Much of this information would otherwise be protected from government access by the Fourth Amendment warrant requirement. Bypassing the warrant requirement to facilitate intelligence and law enforcement investigative activity effectively turns cybersecurity information sharing into a back-door wiretap. The incremental, pro-privacy changes made to SECURE IT do not overcome these fundamental flaws in the legislation.