The Senate Intelligence Committee advanced a terrible cybersecurity bill called the Cybersecurity Information Sharing Act of 2015 (CISA) to the Senate floor last week. The new chair (and huge fan of transparency) Senator Richard Burr may have set a record as he kept the bill secret until Tuesday night. Unfortunately, the newest Senate Intelligence bill is one of the worst yet.
Cybersecurity bills aim to facilitate information sharing between companies and the government, but their broad immunity clauses for companies, vague definitions, and aggressive spying powers make them secret surveillance bills. CISA marks the fifth time in as many years that Congress has tried to pass "cybersecurity" legislation. Join us now in killing this bill.
The newest Senate Intelligence bill joins other cybersecurity information sharing legislation like Senator Carper's Cyber Threat Sharing Act of 2015. All of them are largely redundant. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs. In February, he signed another Executive Order encouraging regional cybersecurity information sharing and creating yet another Cyber Threat Center. Despite this, members of Congress like Senators Dianne Feinstein and Richard Burr continue to introduce bills that would destroy privacy protections and grant new spying powers to companies.
Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system.
Even with the changed language, it's still unclear what restrictions exist on "defensive measures." Since the definition of "information system" is inclusive of files and software, can a company that has a file stolen from them launch "defensive measures" against the thief's computer? What's worse, the bill may allow such actions as long as they don't cause "substantial" harm. The bill leaves the term "substantial" undefined. If true, the
countermeasures "defensive measures" clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user.
Second, the bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.
Sharing Information with NSA
Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies—like the NSA—"in real-time." The bill also allows companies to bypass DHS and share the information immediately with other agencies, like the intelligence agencies, which ensures that DHS's current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing.
Overbroad Use of Information
Once the information is sent to any government agency (including local law enforcement), it can use the information for reasons other than for cybersecurity purposes. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes. The public won’t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act.
In 2012, the Senate negotiated a much tighter definition in Senator Lieberman's Cybersecurity Act of 2012. The definition only allowed law enforcement to use information for a violation of the Computer Fraud and Abuse Act, an imminent threat of death, or a serious threat to a minor. The Senate Intelligence Committee's bill—at the minimum—should've followed the already negotiated language.
The bill also retains near-blanket immunity for companies to monitor information systems and to share the information as long as it's conducted according to the act. Again, "cybersecurity purpose" rears its overly broad head since a wide range of actions conducted for a cybersecurity purpose are allowed by the bill. The high bar immunizes an incredible amount of activity. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It's also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports, information sharing and analysis centers, and private communications.
A Fatally Flawed Bill
This fatally flawed bill must be stopped. It's not a cybersecurity, but a surveillance bill. And it can be voted on at any time. Get in touch with your Senator, tell them to vote no on the bill, and to not cosponsor the Senate Intelligence Committee's Cybersecurity Information Sharing Act of 2014.