CISA: Another Miss for Tackling Cybersecurity

CISA: ANOTHER MISS FOR CYBERSECURITY

GAGNIER FOR CONGRESS LEGISLATIVE SNAPSHOT

christinagagnier.com

CISA: Another Miss for Tackling Cybersecurity On July 8, 2014, the Cybersecurity Information Sharing Act (“CISA”), S. 2588, passed through the Senate Select Committee by a vote of 12-3, moving it one step closer to reaching the Senate floor. The bill represents the fourth time in four years that Congress has attempted to pass cybersecurity legislation. The new bill is intended to assist companies and the government in preventing hackers perpetrating attacks and other cyber intrusions. CISA encourages companies to share information about cyber threats with each other and the federal government, which proponents of the bill say will help stop attacks. The bill provides incentives to share information by including provisions that protect businesses from lawsuits if they voluntarily elect to share cyber threat information. As the bill stands, when an individual or company shares cyber threat information with a particular department of the federal government, that information is automatically shared with all of the other branches, including the Department of Homeland Security, Department of Defense, Department of Justice and the National Security Agency. The bill’s language was influenced by previous acts such as the 2012 Cybersecurity Act, S. 3414 (prior to the July, 2012 privacy amendments), the McCain-Chambliss SECURE IT Act, S. 3342 (as reintroduced on June 27, 2012) and CISPA, H.R. 624 (as passed by the House on April 17, 2013), and includes the following provisions:

• Requires the Director of National Intelligence to increase the sharing of classified and unclassified cyber threat information to the private sector;

• Allows individuals and companies to monitor their own computer networks and consenting customers for cyber threats and install blocking techniques;

• Encourages voluntary sharing of cyber threat information by individuals and companies

with each other and with the federal government;

• Includes liability protections for individuals and companies that adequately monitor their networks or voluntarily share cyber threat information; and

• Requires the federal government to establish procedures for the receipt, sharing and use

of cyber security information, including the establishment of a “portal” managed by the Department of Homeland Security where information will enter and be shared among other federal entities.

Since the previous cybersecurity bills were considered, the public has learned much about the extent to which the NSA and other governmental agencies stretched the meaning of statutory provisions to collect vast amounts of information. By heavily relying on language from former

cybersecurity bills, it appears that CISA fails to address or acknowledge any of the recently disclosed cybersecurity-related Snowden revelations about NSA surveillance conduct. Instead of proceeding with caution and requiring the federal government to implement strict policies and procedures for information sharing, the bill explicitly funnels more private communications and information to the NSA and other agencies. This risks turning the cybersecurity program into a backdoor wiretap, allowing the federal government to use cyber threat indicators for overly broad law enforcement purposes. Additionally, the bill adopts a “willful blindness” approach when it comes to the removal of personal information not related to cyber threats. If the sharing entity does not know whether a cyber threat indicator includes irrelevant personal information, the bill does not require them to look for it, and the information can be shared regardless. What is most disturbing, however, is that “personal information” is left undefined. On July 15, 2014, a group of thirty companies and privacy groups demanded that President Obama promise to reject CISA for these loose provisions on sharing information without adequately filtering out irrelevant personal information. Previously, in Spring 2013, President Obama threatened to veto CISPA—one of the bills from which CISA borrows language—and in the wake of the Snowden disclosures, the President has even more of a reason to oppose this similar legislation.

It seems that Congress cannot put together cybersecurity legislation without including broad immunity clauses for companies, vague definitions of key terms and aggressive spying provisions. Congress needs to realize that the public is becoming increasingly more educated and aware of their information privacy, and although the need for comprehensive cybersecurity legislation is great, with such strategic damage to people’s privacy rights, it is no surprise that the proposed bills fail.