Last year, the Cybersecurity Act of 2015, a bill allowing companies to share information about cyberthreats with the government and one another, became law. This marked the conclusion of a long battle between the corporate and government interests that supported the bill and the privacy community, which strongly opposed it.
Though the end product was a serious step back for privacy and likely for cybersecurity as well, the version that passed is significantly better than where legislation was when this debate started. Those improvements are the direct result of the privacy community—including my own organization, New America’s Open Technology Institute. (Disclosure: New America is a partner with Slate and Arizona State University in Future Tense.) Despite corporate interests massively outspending the privacy community to lobby Congress (140 to 1 in 2011 alone), the privacy community repeatedly beat back bad legislation because it included dangerously weak privacy protections, threatened Americans’ civil liberties with overbroad law enforcement use authorizations, and could undermine cybersecurity rather than enhance it.
In the legislative boxing match between privacy advocates on one side and corporate and government interests on the other, privacy ultimately lost—but it was far from a knockout, and privacy advocates gave as good as they got from the first round to the last. An examination of the more than half-decade battle over cybersecurity information sharing demonstrates just how much impact the advocates and activists had on the ultimate legislation.
Round 1: The Kill Switch and Federalization of Critical Infrastructure Security
The debate around cybersecurity and information-sharing legislation began in earnest in 2009, with the introduction of the Cybersecurity Act of 2009 by then–Senate Intelligence Committee Chairman Jay Rockefeller, D–West Virginia.
Rockefeller’s bill included a provision called a “kill switch,” which would have allowed the president to shut down Internet traffic in the case of emergency or for a national security purpose, and to disconnect critical infrastructure systems such as those controlled by banks, telecommunications providers, and energy providers. Additionally, notwithstanding any other provision of law, the bill would have given the secretary of commerce access to “all relevant data” concerning critical infrastructure networks, including unnecessary personally identifiable information and communications content.
Groups like the Electronic Frontier Foundation immediately blew the whistle on the Cybersecurity Act, and it quickly became clear that the Senate would not be able to move forward with the bill.
Round 2: CISPA, the NSA, and Hacking Back
In 2011, the House Intelligence Committee jumped on the opportunity to lead on the issue with the introduction of the now-infamous Cyber Intelligence Sharing and Protection Act. While CISPA did not include a kill switch or allow for completely unfettered government access to critical infrastructure information—a win for the privacy community that emerged from the Round 1 debate—it contained many seriously troubling provisions.
CISPA would have undermined civilian control of the Internet by allowing companies to share information directly with the National Security Agency. It would have permitted the government to use that information in investigations into cybersecurity threats, but also into violent crimes regardless of imminence or a specific threat, and for national security purposes. (“National security purposes” is basically intelligence community code for unlimited national security investigations and other investigations unrelated to cybersecurity. Think NSA warrantless wiretapping and bulk collection minus court approval and oversight, or even a requirement for imminence or a specific threat.) Finally, CISPA would have given companies complete liability protection against any harms that resulted from sharing or receiving information under the bill, and for retaliating against perceived threats, also known as “countermeasures” and “hacking back,” so long as the company claimed that it acted in good faith.
The privacy community flexed its muscles and unleashed a massive wave of opposition from both civil society organizations and constituents at the grassroots level. After a series of letters to Congress, call campaigns, and email actions opposing CISPA, and despite a few insufficient amendments, the White House issued a veto threat, condemning CISPA as a threat to privacy and cybersecurity, and citing many of the same concerns raised by privacy advocates.
During the next Congress, CISPA’s sponsors reintroduced the bill with some small changes. However, with the exception of removing the national security purpose use authorization, all of the same significant problems remained.
Once again, the privacy community and its grassroots base went to work to oppose the bill, and again, the White House issued a veto threat. While the debate around CISPA 2.0 was raging, the Senate was quietly working on its own proposal, the Cybersecurity Act of 2012, which, though imperfect, did a much better job of addressing privacy concerns than any other proposals that had been considered. Nonetheless, Senate Republicans killed that package, claiming that several of its provisions unrelated to information sharing would have led to increased regulation.
Round 3: CISA and Passage of the Cybersecurity Act of 2015
From the ashes of CISPA rose the Cybersecurity Information Sharing Act of 2014, proposed by Sen. Dianne Feinstein, the then-chairwoman of the Senate Intelligence Committee. As introduced, CISA brought both good and bad: It would have authorized hacking back and other countermeasures, albeit without liability protection; allowed direct sharing with the NSA; and included a requirement to remove personally identifiable information, albeit a weak one. It reined in some of CISPA’s expansive law enforcement use authorizations by adding an imminence requirement to threats of death and violence, but also expanded the list of authorized uses by allowing information to be used for noncybersecurity investigations, such as those into Espionage Act and Trade Secrets Act violations. Finally, CISA provided liability protections for any action short of gross negligence, but they were still not as expansive as those included in CISPA.
Yet again, the privacy community rallied against CISA, issuing letters of opposition to the Senate and to the president. Democratic Senate leadership took note of the privacy community’s concerns and closed out the 113th Congress without taking action on CISA, despite significant pressure from corporate interests.
After the Sony hack was revealed in November 2014, the impatience of the intelligence community, the White House, the U.S. Chamber of Commerce, and trade associations like the Financial Services Roundtable reached its peak, and it became clear that Congress was going to pass a bill—any bill—so it could say that it had finally done something.
Over the course of 2015, the House passed two bills and the Senate passed an updated version of CISA. A comparison of all three bills shows that each had better and worse privacy protections in varying respects. Over the opposition of major tech companies like Apple and Dropbox and tech industry trade associations, 71 civil society organizations and security experts, and grassroots activists, Congress negotiated a final version of CISA, renamed it the Cybersecurity Act of 2015, and passed it as Subdivision N of the omnibus bill that provided the funding necessary to prevent a government shutdown over the holidays. Clearly it was still so controversial that congressional leadership couldn’t risk allowing it to get its own vote, and instead forced its passage by ramming it in a must-pass bill.
The final bill is a failure for anyone who cares about privacy or cybersecurity. But because of the work of the privacy community, it’s leaps and bounds better than when legislation was first introduced in 2009.
As enacted, CISA imposes a requirement that companies review information for personally identifiable information and remove any that it knows is not directly related to the cyberthreat before sharing. It only provides liability protection for sharing information with the Department of Homeland Security, or another civilian entity designated by the president. And it only provides liability protection to companies that act within the rules and requirements of the bill, without providing companies with a good-faith defense.
It authorizes companies to use defensive measures to protect against perceived threats, which still raises some concerns that cybersecurity could be undermined. Importantly, however, it does not authorize companies to retaliate against possible threats by hacking into other people’s networks as previous bills did. Finally, it authorizes law enforcement to use information for noncybersecurity investigations, such as Espionage Act and Trade Secrets Act violations, but it does impose a “specific threat” requirement for any investigation into threats of death, serious bodily injury, terrorism, or use of weapons of mass destruction, and serious economic harms.
These limitations are overbroad and in some instances are even a step back from previous versions of cyber legislation. But the end result is significantly better than it would have been had the privacy community not intervened, and had Congress passed the Cybersecurity Act of 2009 or CISPA and authorized kill switches, unrestrained sharing of Americans’ personal information with the NSA, nearly limitless use of that information by the NSA and FBI, and complete liability protection for hack backs and information sharing.
Fight Over: We May Have Lost, but You Should See the Other Guy …
The debate over information sharing took the better part of a decade and ended with no one being completely happy with the outcome—bill supporters and members of Congress were left looking bad, while the privacy community, despite winning important gains, was left feeling burnt and unsatisfied. This all happened because legislators and companies seemed to assume either that Americans didn’t care about their privacy or that the privacy community didn’t have the power to influence the debate. On both counts, they were dead wrong. The privacy community not only represents the interests and the opinions of millions of Americans and of people all over the world; it also has the will and the means to effect change. Thankfully, that knock-down, drag-out fight provided a road map of sorts that might help us avoid the same pitfalls in the future.
First, the privacy community has the power to win significant improvements to legislation through effective advocacy and analysis, and grassroots activism. Second, Americans care a lot about their privacy. To avoid multiyear fights and delays on future bills, members of Congress should start baking privacy protections into their legislation, which will require consulting with activists and advocates, and not just industry, at the outset. If we all keep those two lessons in mind, privacy and cybersecurity will be more likely to win, and Congress might actually find that it can get something done in a timely manner.
Those lessons are all the more important since we will face many more debates over cybersecurity and privacy. The privacy and security communities and industry have banded together to defend the importance of encryption, while the intelligence and law enforcement communities seek to undermine it. There will be other debates of government hacking and vulnerabilities disclosure, over NSA surveillance and much more. Lawmakers and policymakers need to get serious about the fact that the privacy community isn’t going anywhere, but it is growing and geared up for the next debate.