July 28, 2015
Congress has been trying to pass cybersecurity information sharing legislation for years. All of these bills have failed to become law because they universally unnecessarily undermined privacy and civil liberties and simultaneously empowered law enforcement and intelligence community agencies like the National Security Agency (NSA).
The President made clear from the beginning of this debate that addressing privacy concerns in legislation was essential, and threatened to veto the House Intelligence Committee’s bill, (H.R. 3523), twice. Now more than ever, he should stand firm to those priorities.
CISPA first debuted in 2011 and privacy groups immediately cried foul, arguing that it would “needlessly impinge on Americans’ privacy” because it would “allow the transfer of vast amounts of data, including sensitive information like internet use history or the content of emails, to any agency in the government including…the National Security Agency,” and it lacked “meaningful use restrictions” for the information once in the government’s hands. The President heard the privacy community’s concerns and agreed. He threatened to veto CISPA because it failed to “preserve Americans’ privacy, data confidentiality, and civil liberties and recognize the civilian nature of cyberspace.”
CISPA’s proponents reintroduced the failed bill in 2013, and were met with the same pushback from the privacy community and from the Administration. This time, the White House set forth three overarching priorities that information sharing legislation must meet in order for the President to sign it into law:
(1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.
Congress has moved on from CISPA, but a new and equally concerning bill has taken its place: CISA (S. 754). This Senate Intelligence Committee bill is poised for a vote as soon as next week. The President should again threaten a veto, as CISA suffers from many same fatal flaws that caused him to oppose CISPA.
The President Has Demanded Adequate Privacy Protections
The President has stated that information sharing legislation must provide “sufficient limitations on the sharing of personally identifiable information” and require companies to “take reasonable steps to remove” it. CISA fails to put in place that reasonable privacy protection. It would increase government access to innocent Americans’ personal data by authorizing companies to share vaguely-defined “cyber threat indicators” that could include private communications content and sensitive, personally identifiable information, even when that data is unnecessary to identify or protect against to a threat.
The President Has Demanded Narrow Use Restrictions
The President has also stated that information “sharing must be consistent with cybersecurity use restrictions, the cybersecurity responsibilities of the agencies involved, as well as privacy and civil liberties protections and transparent oversight.” CISA does not put in place meaningful use restrictions that would be adequate to protect civil liberties. Instead, CISA would allow the FBI and other federal, state, and local law enforcement agencies to use information they receive for investigations that have nothing to do with cybersecurity, such as investigations into garden variety violent crimes, drug crimes, arson, carjacking, and extortion.
The President Has Demanded Civilian Control of Domestic Cybersecurity
Finally, the President has consistently advocated for “the longstanding tradition to treat the Internet and cyberspace as civilian spheres” and opposed CISPA because it “effectively treat[ed] domestic cybersecurity as an intelligence activity” by allowing companies to share information directly with the NSA and failing to place reasonable restrictions on the government’s use of that information. CISA, like CISPA, empowers the NSA and fails to establish civilian control. It would allow companies to share information directly with the NSA. If a company shares with a civilian agency instead, that agency would be required to automatically disseminate it to the NSA, and would even be prohibited from scrubbing the information to remove unnecessary personal information.
These are just a few of the many flaws that have caused OTI to strongly oppose CISA. Yesterday, a coalition of over 68 civil society groups, companies, and security experts wrote to the President and urged him to issue a veto threat. It does not meet the bare minimum requirements for information sharing legislation that the President has laid out. Now is not the time for the him to back away from the principles he set forth, requiring adequate protections for privacy and civil liberties, and civilian control, by allowing CISA to become law. President Obama should defend those principles and threaten to veto CISA.