The White House recently released its long-awaited cybersecurity legislative proposal, finally adding its voice to the ongoing debate over government cybersecurity authorities. This is the second of a four-part analysis from CDT of various elements of the Administration’s far-reaching package. Part I, Part III, Part IV,
Part II: Information Sharing Between the Private Sector and the Government
This blog post analyzes the public/private information sharing provisions in the recently released White House cybersecurity legislative proposal, a package of new executive powers and amendments to existing authorities aimed at changing the direction of the ongoing debate over executive cybersecurity authorities. This post will address the information sharing provisions in the legislation. Top line: the legislation would authorize companies to share a vast amount of communications information with the federal government without adequate privacy protections with uncertain gains in cybersecurity outcomes. A more nuanced approach that more tightly limits the information that can be shared could be more effective in promoting security outcomes and protecting privacy.
How to encourage more robust cybersecurity information sharing without putting privacy at risk is a central policy challenge. There is a widespread agreement that cybersecurity information sharing essential to a robust cybersecurity program is inadequate. Private sector network operators and government agencies monitoring their own networks could better respond to threats if they had more information about what other network operators are seeing.
What does the White House Propose?
As a solution to this problem, the White House has proposed a sweeping information sharing regime that would permit any entity to share with DHS any information the entity may have, including communications traffic, no matter how it was acquired and no matter how use and disclosure otherwise would be restricted by law, so long as the entity shares it for cybersecurity purposes, makes reasonable efforts to remove irrelevant identifying information, and complies with as yet unwritten privacy protections. The provision, a new Section 245 of the Homeland Security Act, would permit a vast amount of personal information to flow to and from DHS and would effectively override protections in the Wiretap Act, the Electronic Communications Privacy Act, the Foreign Intelligence Surveillance Act, the Freedom of Information Act, the Sherman Antitrust Act, other federal statutes and any state statute that regulates interception, collection, use and disclosure of communications.
In contrast, Section 246(c) of the leading Senate cybersecurity bill, the Cybersecurity and Internet Freedom Act, S. 413, explicitly requires information sharing relating to cybersecurity incidents to adhere to the statutory schemes governing electronic surveillance. This is an important difference in approach. Both bills envision a “government-centric” information sharing system in which companies can feed information to DHS and it, in turn, shares information with companies. Both bills also envision that communications and other information shared with the DHS by state and local governments and by private entities would be exempt from disclosure under the Freedom of Information Act and comparable state laws. And, both bills wisely envision an information sharing regime in which information sharing would be voluntary, not mandatory. This is wise because giving a governmental entity mandatory authority to access private sector data that is relevant to cybersecurity would create a huge loophole in electronic surveillance laws and would undermine the public-private partnership that needs to develop around cybersecurity. Where the bills differ markedly is in the type of information that can be shared with DHS, which under the White House bill could receive much more communications traffic.
In other regards, however, the White House proposal raises serious concerns. Under the White House proposal, DHS could use, retain or further disclose the communications traffic and other information to private and to state and local governmental entities for cybersecurity purposes and disclose it to law enforcement entities when it is evidence of a crime. Agencies receiving communications, records and other disclosures from DHS could use them for cybersecurity and law enforcement purposes and could further disclose them to other entities that have agreed in writing to use them for cybersecurity and law enforcement purposes and to abide by the as yet unwritten privacy protections.
The privacy and civil liberties protections in the White House proposal are weak and principally center on the purpose limitation: limiting information sharing to cybersecurity and law enforcement purposes. Sharing a vast amount of communications traffic could, however, fit within that broad purpose.
In addition, while the legislation calls for DHS to issue privacy and civil liberties policies and procedures, DHS would have substantial discretion about what to include in them. The legislation does not require that those policies and procedures would be issued with notice and comment under the Administrative Procedure Act. Importantly, the bill indicates that DHS’s policies and procedures must require destruction of communications intercepted or disclosed for cybersecurity purposes that do not appear to be related to cybersecurity threats.
But, there is no effective way for an aggrieved party to enforce compliance with the policies and procedures because there is no private right of action for violations. Knowing and willful violations are misdemeanors that the Department of Justice has discretion to prosecute; they bring no prison time and fines can be no more than $5,000/incident. Companies and state and local governments that violate the law and share communications and information for inappropriate purposes, or who fail to strip out irrelevant identifying information, or who violate the privacy policies and procedures are immune from civil and criminal liability under all other laws if they relied in good faith on their own determination that their conduct was permitted in the proposed statute. Finally, the DOJ – a law enforcement agency – would decide which information could be disclosed for law enforcement purposes.
Congress should take a more nuanced approach to information sharing.
Is There a Better Way?
Yes. There are better approaches to information sharing that could accomplish the same security benefit with less privacy downside. First, Congress should determine exactly what information should be shared that is not shared currently and improve information sharing incrementally. It should start with an understanding of why existing structures, such as the U.S. Computer Emergency Readiness Team (“U.S. CERT”) and the public-private partnerships represented by the Information Sharing and Analysis Centers (ISACs) are inadequate. The Government Accountability Office (GAO) has made a series of suggestions for improving the performance of U.S. CERT. The suggestions included giving U.S. CERT analytical and technical resources to analyze multiple, simultaneous cyber incidents and to issue more timely and actionable warnings; developing more trusted relationships to encourage information sharing; and providing U.S. CERT sustained leadership within DHS that could make cyber analysis and warning a priority. All of these suggestions merit attention.
Second, an assessment should be made of whether the newly-established National Cybersecurity and Communications Integration Center (NCCIC) has addressed some of the information sharing issues that have arisen. The NCCIC is a round-the-clock watch and warning center established at DHS. It combines U.S. CERT and the National Coordinating Center for Communications and is designed to provide integrated incident response to protect infrastructure and networks. Industry is now represented at the NCCIC and its presence there should facilitate the sharing of cybersecurity information about incidents.
Third, Congress must make a realistic assessment as to whether an information sharing model that puts the government at the center — receiving information, analyzing it, and sharing the resulting analysis with industry — could ever act quickly enough to respond to fast moving threats. We have serious doubts. An industry-based model, subject to strong privacy protections, might be able to act more quickly, and would raise few, if any, of the Fourth Amendment concerns attendant to a government-centric model.
Fourth, the significant extent to which current law gives communications service providers authority to monitor their own systems and to disclose to governmental entities, and to their own peers, information about cyberattack incidents for the purpose of protecting their own networks must be accounted for. In particular, the federal Wiretap Act provides that it is lawful for any provider of electronic communications service to intercept, disclose or use communications passing over its network while engaged in any activity that is a necessary incident to the protection of the rights and property of the provider. 18 U.S.C. 2511(2)(a)(i). This includes the authority to disclose communications to the government or to another private entity when doing so is necessary to protect the service provider’s network. Likewise, under the Electronic Communications Privacy Act (ECPA), a service provider, when necessary to protect its system, can disclose stored communications (18 U.S.C. 2702(b)(3)) and customer records (18 U.S.C. 2702(c)(5)) to any governmental or private entity. Furthermore, the Wiretap Act provides that it is lawful for a service provider to invite in the government to intercept the communications of a “computer trespasser” if the owner or operator of the computer authorizes the interception and there are reasonable grounds to believe that the communication will be relevant to investigation of the trespass. 18 U.S.C. §2511(2)(i).
These provisions do not, in our view, authorize ongoing or routine disclosure of traffic by the private sector to any governmental entity. To interpret them so broadly would destroy the promise of privacy in the Wiretap Act and ECPA. The extent of service provider disclosures to the government for self-defense purposes is not known publicly, and Congress should require reporting of such activity.
While current law authorizes providers to monitor their own systems and to disclose voluntarily communications and records necessary to protect their own systems, the law does not authorize service providers to make disclosures to other service providers or to the government to help protect the systems of those other service providers. There may be a need for a very narrow exception to the Wiretap Act, ECPA, FISA and other laws that would permit disclosures about specific attacks and malicious code on a voluntary basis and that would immunize companies against liability for these disclosures.
The exception would have to be narrow so that routine disclosure of Internet traffic to the government or other service providers remained clearly prohibited. It would bar the disclosure to the government of vast streams of communications data, but permit liberal disclosure of carefully defined cyberattack signatures and cyberattack attribution information. It may also need to permit disclosure of communications content that defines a method or the process of a cyberattack. Rather than taking the dangerous step of overriding the surveillance statutes, such a narrow exception could operate within them, limit the impact of cybersecurity information sharing on personal privacy.
Finally, any amendments that weaken the controls and privacy protections of the surveillance laws should include legislation to update ECPA by making its privacy protections more relevant to today’s digital environment.
This more nuanced approach to information sharing would facilitate the sharing that needs to occur, and at the same time, better protect privacy.