When the Senate passed the Cybersecurity Information Sharing Act on Tuesday, it did so in a manner that could not have more thoroughly or blatantly ignored the many privacy concerns surrounding the bill.
CISA is intended to aid companies and government agencies trying to defend against computer security breaches by allowing the private and public sectors to share threat data more easily. But many civil liberties advocates, technology companies, and other critics of the bill have said that the measures intended to make it easier for the government and private companies to share information about attacks and breaches may also make it easier for them to share any other information with one another—for instance, customer information—without fear of repercussion.
To that end, several senators submitted amendments to the bill that would have tried to strengthen the privacy safeguards in place for the sharing mechanisms outlined in the bill. All four of the amendments failed yesterday in the lead up to the Senate’s 74–21 vote in favor of CISA.
The challenge with this bill lies in defining exactly what kinds of information are—and are not—needed to help combat against computer-based threats. This can be difficult to define very narrowly because it depends largely on the nature of the threat. A denial-of-service attack might require sharing one set of information about the source and nature of malicious traffic, while ransomware distributed via email might necessitate sharing info about the signature of the malicious code or the senders and formatting of the emails being used to deliver it.
These may be completely reasonable—even useful—measures to help others identify and mitigate a serious security threat. But, at the same time, a bill that makes it easier to share information about things like the senders and content of emails is a clear red flag to many people concerned about digital privacy. So CISA’s broad language about allowing companies to share “threat indicators” and other “cybersecurity threat” information “notwithstanding any other provision of law” seems to sweep aside the entire existing framework of privacy law under only very vague parameters.
The amendments that the Senate rejected yesterday all aimed, in some form, to try to clarify and bound the extent to which personal information could be freely shared and how difficult it would be for anyone to learn about this sharing under the Freedom of Information Act. For instance, Sen. Al Franken proposed an amendment that would have narrowed the definition of the types of threat information that could be shared under the bill to only information about threats that are “reasonably likely to” damage a network, rather than threats that “may” cause damage.
Sen. Ron Wyden’s amendment aimed to require companies to remove personal information from shared data, unless that personal information is essential to identifying the threat. Sen. Dean Heller’s amendment took a similar approach but required the Department of Homeland Security, instead of companies, to scrub information of nonessential personal material. Finally, Sen. Patrick Leahy introduced an amendment that would have rolled back CISA’s exemptions from FOIA requests.
The failure of all four of these amendments—all of them fairly measured in their approach—was a strong signal of how unwilling the Senate was to place any restrictions whatsoever on this bill.
It’s hard to define exactly what kinds of specific information may or may not be needed to identify and combat threats, and it’s not outrageous to create a pathway for some limited infringements of privacy to occur in pursuit of important security goals. But it’s striking how reluctant the Senate was to define those limits—especially given how much sharing of threat information already goes on between businesses using informal mechanisms. Is there a need for still greater sharing? Maybe. Probably, even. But it’s unclear whether this broad bill is the right way to go about it.
As Brian Krebs points out, “The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches.” Beyond the lack of privacy protections, the lack of any mechanisms in place to assess whether the sharing it enables has measurable impacts on corporate or government security outcomes means that we are unlikely to ever really know whether it curtails privacy protections to any useful purpose, and whether the curtailment of those protections is, in fact, essential to improving security.
The version of CISA that the Senate passed yesterday is closely in line with the Protecting Cyber Networks Act that the House passed by a 307–116 vote in April. The two bills still need to be combined in some manner before they can become law. After that, it seems unlikely that President Obama will veto, since the White House has endorsed CISA, despite threatening in 2013 to veto a similar bill, the Cyber Intelligence Sharing and Protection Act.