Is it possible to enhance cybersecurity without harming privacy? The Senate Select Committee on Intelligence (SSCI) attempted to balance these issues on March 12 by approving in a 14-1 vote the Cybersecurity Information Sharing Act of 2015 (S. 754), commonly referred to as CISA. This bill permits private entities to monitor and operate defensive measures on their information systems under limited circumstances. CISA also authorizes private entities and the Government to voluntarily give and receive information about cyber threat indicators and defensive measures to and from each other. This authorization to share information is subject to numerous limitations and requirements, including the prior removal of personal information of any person not directly related to the threat. However, despite SSCI's attempts to improve privacy protection since earlier drafts of the bill, privacy advocates still believe the revisions fall short.
CISA in a Nutshell
In a nearly unanimous vote, SSCI passed CISA on March 12, 2015. CISA encourages private entities to share information about "cyber threat indicators" and "defensive measures" (defined and discussed below) with the Federal Government by explicitly authorizing such sharing1 and providing the private entities with protection from liability2 for such sharing. In addition, CISA authorizes private entities to monitor their information systems -- or the information system of another entity upon receiving authorization and written consent from that entity -- for cybersecurity purposes, notwithstanding any other provision of law.3 Such monitoring is also protected from liability.4 CISA also authorizes private entities to operate defensive measures for cybersecurity purposes -- notwithstanding any other provision of law5 -- although the bill does not provide protection from liability for the operation of defensive measures.
In addition to empowering and protecting private actions, the bill authorizes action on the part of the Federal Government. It instructs the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General -- in consultation with the heads of appropriate federal entities -- to develop and promulgate procedures to facilitate and promote the Government's sharing of cyber threat indicators and cybersecurity threats with private entities.6 CISA also permits the Department of Homeland Security (DHS), which is charged with developing a portal for receiving shared information from private entities,7 to share received information with other appropriate federal agencies.8 Further, the bill permits the Government to use received information for a variety of purposes. These include:9
- Cybersecurity purposes;10
- Identifying a cybersecurity threat;
- Responding, preventing, or mitigating an imminent threat of death, serious bodily harm, serious economic harm, or serious threat to a minor;
- Preventing, investigating, disrupting, or prosecuting an offense involving a serious violent felony, fraud, identity theft, espionage, censorship, or protection of trade secrets; and
- Informing the development or implementation of regulations relating to information systems, but only if consistent with regulatory authority specifically relating to the prevention of cybersecurity threats to such information systems and independent from procedures developed under CISA.
In addition, CISA permits the sharing of information with state, Tribal, and local governments and for those governments to use such information for preventing, investigating, or prosecuting certain offenses, subject to prior consent from the entity sharing the information.11 State, Tribal, and local governments may also use such information to inform the development or implementation of regulations relating to information systems, consistent with that government's regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems.12
Efforts to Pull in the Reins and to Protect Privacy
After undergoing numerous modifications from its previous versions, including accepting either in whole or in part 12 of 15 privacy amendments,13 CISA attempts to clarify several issues as well as provide greater protection of privacy.
The SSCI narrowed the bill's scope by defining what information private entities can share with the Government without liability, and by what means:
- Cyber Threat Indicators. By defining more narrowly what constitutes a cyber threat indicator, this most recent version of the bill limits the types of information that private entities may share with the Government and still receive liability protection. CISA defines the term to include information that is necessary to describe or identify malicious reconnaissance; methods of defeating a security control or exploiting a security vulnerability; security vulnerabilities; methods of causing legitimate users to unwittingly enable the defeat of a security control or exploit a security vulnerability; malicious cyber commends and controls; actual or potential harms caused by an incident; and any other attribute of a cybersecurity threat14 if its disclosure is not otherwise prohibited.
- Defensive Measures. The bill also authorizes private entities to operate15 -- and share with the Government information about16 -- defensive measures against potential hacks. Under CISA, a private entity may operate and share information about actions, devices, procedures, signatures, techniques, or other measures applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. SSCI removed the more controversial term, "countermeasures," from this version of the bill. SSCI also explicitly excluded from the term "defensive measures" any measure that "destroys, renders unusable, or substantially harms an information system or data on an information system not belonging to" the acting entity or an entity (public or private) authorized to grant approval and having done so.17 Finally, CISA sets limits to the information systems on which a private entity may operate defensive measures to protect rights and property. These include (1) the entity's own information system; (2) an information system of another entity upon written consent; and (3) an information system of a federal entity upon written consent.18
- Protected Methods for Sharing Information. The bill only provides liability protection to private entities sharing information about cyber threat indicators or defensive measures with the Government if they share the information through one of the specified methods.19 Liability protection is available under CISA only if such information: (1) is shared through the portal CISA charges DHS to create; (2) is shared through non-electronic means; (3) is shared with the entity's own regulators; or (4) is a cyber threat indicator that has previously been shared.20 SSCI removed liability protection for other forms of sharing information that were included in previous drafts of the bill. The bill encourages use of a DHS portal because the portal is intended to centralize and simplify the flow of information and to ensure that privacy procedures developed by the Attorney General are applied to all incoming information.
- Restrictions on the Government's Collection. The bill does not require private entities to share information regarding cyber threats with the Government. Nor does it grant the Government any authority to pressure private entities to share. Rather, it creates an avenue for private entities to voluntarily share information with the Government. Private entities may choose to abstain.
SSCI worked to augment privacy protections in this latest version of the bill. SSCI Chairman Richard Burr (R-NC) stated following the vote: "This legislation protects the privacy rights of Americans while also minimizing our vulnerability to cyber-attacks."21 Specifically, under this latest version of CISA:
- Private entities that seek to share information must take proactive steps to remove any personally-identifying information not directly related to the cyber threat prior to sharing.
- Private entities' authorization to monitor their networks is limited to monitoring for cybersecurity purposes, and only after receiving authorization and consent from their customers.
- Private entities must comply with the bill's privacy protections before receiving liability protection. For example, if an entity monitors an information system, operates a defensive measure, or provides or receives a cyber threat indicator or defensive measure under CISA, it must utilize a "security control"22 to protect against unauthorized access to or acquisition of the information. The bill's liability protection will not be granted to any activity that fails to meet the privacy requirements or that qualifies as gross negligence or willful misconduct.
- The Attorney General must develop mandatory policies, procedures, and guidelines governing the Government's receipt of information from private entities. These must include
- Audit capabilities;
- Penalties for abuses by federal officials;
- Limitations on the length of time the Government may retain received information;
- Limitations on the Government's receipt, retention, use, and dissemination of cyber threat indicators containing personal information, including a process for timely destruction of information that is known not to be directly related to cybersecurity; and
- Procedures for safeguarding personal information from unauthorized access and to inform recipients that the cyber threat indicators may only be used for purposes specified in CISA.
SSCI's Ranking Member, Dianne Feinstein (D-CA) called the privacy provisions "substantial" and stated the changes made should assuage privacy concerns raised in response to earlier drafts of the bill.23
Strong Privacy Concerns Linger
Despite SSCI's efforts to increase protection of privacy, there remains strong criticism. SSCI member Ron Wyden (D-OR) tweeted "[the] Cybersecurity bill is bad for Americans' privacy" after he cast the only vote against CISA.24 In a March 12 Press Release, he voiced concerns that the bill "lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on US cybersecurity."25 He further opined that, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name."
The Center for Democracy & Technology (CDT) has stated support for many of the privacy amendments to CISA, including the limitations on the authorization to use defensive measures.26 However, CDT still opposes the bill. Specifically, CDT takes issue that CISA still permits private entities "to share communications information directly with the National Security Agency" (NSA), and that information shared with the Government may be used for law enforcement purposes that do not present imminent threats or are unrelated to cybersecurity. Jake Laperruque, Fellow on Privacy, Surveillance, and Security at CDT, asserts that CISA still amounts to a "cybersurveillance measure" and "definitely" falls short of privacy safeguards included in a separate bill introduced by Senator Thomas Caper (D-DE).27 Mr. Laperruque is particularly concerned that the bill "require[s] real-time 'insta-sharing' with the NSA" after a private entity shares information with the Government. His concern may relate to Section 5 of the bill, which requires the Attorney General -- in coordination with the heads of the appropriate Federal entities -- to develop policies and procedures that will ensure that cyber threat indicators shared in real-time with the Government (1) "are shared in an automated manner with all of the appropriate Federal entities;" (2) "are not subject to any delay, modification, or any other action that could impede real-time receipt by all of the appropriate Federal entities;" and (3) "may be provided to other Federal entities."28 Section 5 of CISA also requires the Secretary of Homeland Security to develop and implement a process within DHS that "ensures that all of the appropriate Federal entities receive in an automated manner such cyber threat indicators shared through the real-time process within [DHS]."29
The American Civil Liberties Union (ACLU) has voiced similar concerns that CISA is a surveillance bill.30 Gabe Rottman, a legislative counsel, sees the bill not as "an information sharing bill at all," but rather as "a new and vast surveillance authority that might as well be called Patriot Act 2.0" based on his belief that the bill will funnel a large amount of personal information to the NSA. In addition, media strategist Rachel Nusbaum worries that CISA will allow the Government to use private information obtained from private entities on a voluntary basis -- and thus without a warrant -- in criminal proceedings, "including going after leakers [and whistleblowers] under the Espionage Act."31
The Electronic Frontier Foundation (EFF) believes the bill is particularly dangerous to privacy and "gives companies broad immunity to spy on, and even launch countermeasures against, potentially innocent users" because, in its opinion, the terms "cybersecurity purpose" and "cybersecurity threat" are too broadly defined.32 EFF also worries that CISA allows private entities to bypass DHS and share information directly and immediately with other federal agencies, including NSA. EFF asserts that this assures that DHS's privacy protections will not be applied to all information. The organization opines that, once information is shared with the Government, it can be used for reasons other than cybersecurity, and the Government will be able to keep this secret because CISA provides for exemption from disclosure under the Freedom of Information Act. Finally, EFF believes that CISA grants private entities too much immunity to monitor information systems and to share the information. EFF worries that the broad term "cybersecurity purpose" will immunize too many activities and preclude, or at least restrict, existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act.
Only time will tell whether the Senate floor will feel differently and, if it gets that far, whether President Obama -- who threatened to veto a similar proposal in 2013 due to privacy concernsp33 -- will determine that CISA goes far enough to protect privacy interests. CISA may also face competition from a bill introduced by the House Permanent Select Committee on Intelligence (HPSCI) on March 24. HPSCI's bill, entitled the "Protecting Cyber Networks Act," has support from Chairman Devin Nunes (R-CA), Ranking Member Adam Schiff (D-CA), NSA and Cybersecurity Subcommittee Chairman Lynn Westmoreland (R-GA), and Subcommittee Ranking Member Jim Himes (D-CT). Like CISA, the Protecting Cyber Networks Act aims to provide liability protections for private entities when they share cybersecurity information with the Government. However, protections would be limited to sharing information with civilian government agencies; the bill would not grant protections for sharing directly with the Department of Defense or NSA. Accordingly, HPSCI's bill will likely face less opposition from privacy advocates than SSCI's CISA.