DHS Is Very Worried About CISA, and They Should Be

The privacy and security communities have long decried the Senate Intelligence Committee’s Cybersecurity Information Sharing Act (CISA, S. 754) as being bad on privacy and bad on security. As it turns out, the Department of Homeland Security (DHS) - the civilian agency that quarterbacks the federal government’s cybersecurity and information sharing efforts - shares a lot of our very serious concerns. In a 7-page memorandum in response to Senator Franken’s July 1 letter asking what DHS thought of CISA and raising his own concerns, DHS made crystal clear that if passed in its current form, CISA would stir up a world of trouble and insecurity.

Operational and Cybersecurity Concerns

DHS points out that the authorization to share information with any federal agency “notwithstanding any other provision of law” is dangerous. It would cause major operational problems, and as a result, would undermine cybersecurity.

Their concern is that if sharing is authorized with any federal entity, as opposed to only with DHS, “the complexity...and inefficiency of any information sharing program will markedly increase.” In fact, such a broad authorization would result in reduced - not increased - situational awareness, thus “limit[ing] the ability of DHS to connect the dots and proactively recognize emerging risks.”

Additionally, CISA requires automatic dissemination of the cyber threat indicators that the government receives directly. In addition to creating the serious privacy concerns described below, this requirement also undermines operational efficacy. This would prohibit DHS from screening information for accuracy before disseminating it, and thus could result in the entities receiving from DHS “more information than they are capable of handling…[including] large amounts of unnecessary information with dubious value, and [those entities] may not have the capability to meaningfully digest that information.”

In other words, there will be too many cooks in the kitchen, and most of those cooks won’t even know how to boil water, let alone identify malicious code, or behavior and tactics similar to those of known cyber threats. The only real solution is to permit one civilian entity to receive cyber threat indicators. Since DHS’s National Cybersecurity and Communications Integration Center (NCCIC) was authorized by Congress to serve that role, DHS argues that CISA should assign this responsibility to the NCCIC.

Privacy Concerns:

DHS, like privacy and security experts, argues that CISA authorizes the sharing of unnecessary personally identifiable information (PII) and requires its dissemination throughout the government. First, it cautions that the broad definition for cyber threat indicators combined with the authorization to share those indicators “notwithstanding any other provision of law” authorizes the sharing of a dangerous amount of unnecessary PII. It also sweeps away core privacy protections, like those conferred by the Stored Communications Act, which limits the disclosure of the contents of communications to the government.

Finally, CISA requires that DHS disseminate information in real-time to all appropriate federal entities. It even includes a provision for so-called privacy procedures which are prohibited from resulting in the “delay” or “modification” of information when it is disseminated throughout government.

DHS cautions that these requirements “would complicate efforts to establish an automatic sharing regime,” and they “raise[] concerns relating to operational analysis and privacy. This is because “If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further.”

Instead, DHS urges that information be disseminated to appropriate federal entities in as near real-time as practicable so that DHS may apply a privacy scrub to the information, and engage in an analysis to ensure that it was properly shared and is actionable or otherwise useful.

The Manager’s Amendment Makes Some Improvements But It Doesn’t Address Any These Operational Problems:

The bill’s primary sponsors, Senate Intelligence Committee Chairman Burr (R-NC) and Ranking Member Feinstein (D-CA) have negotiated a manager's amendment which would address some - but not all - of the concerns privacy groups have raised, and which would not address any of the operational problems that have been raised.

The amendment would ensure that companies could only share information with the government or with one another for cybersecurity purposes. It would also narrow the use authorizations in the bill so that law enforcement could no longer use information it receives in investigations into felonies under 18 USC 3559, which include a myriad of non-cybersecurity related crimes like arson, carjacking, robbery, and extortion. The amendment would fix the defensive provisions authorization, ensuring that a company could not operate a defensive measure that sought to gain unauthorized access onto someone else’s system, and, finally, it cuts the new exemption to the federal transparency law, the Freedom of Information Act.

Those are all good and important changes - but they fail to get at the heart of what is most concerning about CISA. CISA would still have a dangerously weak requirement to remove personal information; it would still authorize companies to share information directly with the NSA, along with any other federal entity; it would still prohibit DHS from doing a privacy scrub and a quality check before disseminating information it receives throughout the government; it still includes overbroad use authorizations that are unrelated to cyber threats, like identity fraud and Espionage Act violations; and it establishes unnecessary and overbroad authorities to monitor users’ activities. All of this, on top of the fact that numerous experts have pointed out a myriad of ways in which the bill would not measurably improve our nation’s cybersecurity.

The debate around how to improve cybersecurity is extremely complex, but one thing is crystal-clear: CISA is not ready for prime-time. As drafted, it would threaten privacy, cybersecurity, and even national security. Privacy groups agree. Security experts agree. Senators who have led privacy and cybersecurity efforts like Senators Franken and Wyden agree. And now, DHS is on record agreeing too.

Given these major privacy and operational concerns with CISA, Senate leadership would be irresponsible to push a vote on final passage without, at the very least, allowing for a robust debate and amendment process so that some of these problems may be addressed.