June 23, 2014
Last week, Senator Feinstein made public a draft cybersecurity information sharing bill titled the Cybersecurity Information Sharing Act of 2014 (CISA), which the Senate Select Committee on Intelligence is expected to mark up later this week. CISA takes a significant step back from the privacy protections that were included in the last cybersecurity information sharing bill considered by the Senate, the Cybersecurity Act of 2012 (S. 3414). It also fails to address the significant concerns that have been raised over the last year as Americans have learned about the scope and breadth of the government’s surveillance and cyber operations.
In its current form, this legislation would, among other things, create an expansive new information sharing program that would give the NSA access to vast quantities of new information, authorize private entities to engage in an array of countermeasures that could potentially harm average internet users, fail to adequately protect individuals’ personal information, absolve companies of all liability for harms resulting from negligent or improper information sharing, and does not attempt to prevent stockpiling of NSA-discovered vulnerabilities by setting standards for their disclosure.
Pasted below and attached here is the Open Technology Institute’s analysis of CISA, and recommendations for how to improve the legislation to better protect Americans’ privacy, while strengthening Internet security:
Analysis on the Cybersecurity Information Sharing Act of 2014:
A Major Step Back on Privacy
Robyn Greene, Policy Counsel
The Cybersecurity Information Sharing Act of 2014 (CISA)[i] takes a significant step back from the privacy protections that were included in the last cybersecurity information sharing bill considered by the Senate, the Cybersecurity Act of 2012 (S. 3414).[ii] It also fails to address the significant concerns that have been raised over the last year as Americans have learned about the scope and breadth of the government’s surveillance and cyber operations.
In its current form, this legislation would, among other things, create an expansive new information sharing program that would give the National Security Agency (NSA) access to vast quantities of personal information, authorize private entities to engage in an array of countermeasures that could potentially harm average Internet users, fail to adequately protect individuals’ personal information, and absolve companies of all liability for harms resulting from negligent or improper information sharing, and legitimate the NSA’s practice of stockpiling known vulnerabilities for its own use rather than responsibly disclosing them.
CISA’s Information Sharing Procedures Allow Direct Military Involvement in Civilian Cybersecurity Programs: CISA would authorize de facto information sharing with the NSA, because under its information sharing provisions, the Department of Homeland Security (DHS) is required to establish procedures for receiving cyber threat indicators that enable entities within the Department of Defense (DOD), such as the NSA and the Office of the Director of National Intelligence, to access the information simultaneous with receipt by DHS (CISA, Sec. 5(c)(1)(C)). Additionally, the government’s procedures prohibit any delay or interference with the dissemination of cyber threat indicators (CISA, Sec. 5(a)(3)).
Thus, DHS would serve merely as a portal for DOD entities to receive cyber threat indicators, and there would be no functional distinction between sharing with a civilian agency and sharing directly with the NSA. Additionally, the procedures require that companies share information in an “electronic format,” which is vaguely defined to include “a real time, automated process between information systems” (CISA, Sec. 2(9), and Sec. 5(c)(A)). This may be interpreted to authorize the government to gain direct access to a company’s information systems to receive cyber threat indicators. Finally, DHS and DOJ lack independence in establishing their procedures and must coordinate with, rather than merely consult, military and intelligence agencies.
Instead, a civilian agency should be in charge of receiving cyber threat indicators, and only share them with military or intelligence agencies when those indicators are necessary to address a significant cyber threat. The Cybersecurity Act of 2012 (CSA 2012) had a much more civilian-centric process for information sharing from the private sector to government. It would have created a cybersecurity exchange, either within a civilian federal entity or a non-federal entity, to receive and distribute threat indicators, with procedures to share threat indicators in “as close to real time as possible with appropriate” federal and non-federal entities (CSA 2012, Sec. 703(a)).
CISA Authorizes Excessive Information Sharing and Countermeasures: CISA would authorize an overly expansive new information sharing program because it fails to reasonably limit the instances in which information can be shared, what kinds of information can be shared, and what can be done to mitigate a cybersecurity threat, based on overbroad definitions of the terms “cybersecurity threat,” “cyber threat indicator,” and “countermeasure.”
CISA authorizes information sharing with the government about any “cybersecurity threat,” which is defined as any action that “may result in an unauthorized effort to adversely impact” a system (CISA, Sec. 2(7)). This extremely permissive standard for likelihood of an attack requires only that there is a vague possibility that an action will pose a threat. Additionally, the concept of “adverse impact” is too broad, and could cover a wide variety of inconsequential impacts that would not pose serious threats to an entity’s network or system. In contrast, the Cybersecurity Act of 2012 more tightly defined “cybersecurity threat” as “any action that may result in unauthorized access to, exfiltration of, manipulation of, harm of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system,” except all actions protected by the First Amendment and terms of service violations (CSA 2012, Sec. 708(6)). That narrower definition, when combined with the other privacy protections included in the 2012 bill, posed far less of a threat to privacy.
Additionally, the types of information that can be shared with the government, “cyber threat indicators,” are defined too broadly, and include anything that “indicates, describes, or is necessary to identify” a cyber threat, or “any other attribute” of the threat (CISA Sec. 2(8)). Therefore any and every part of a communication that falls within the bill’s overbroad definition of “cybersecurity threat”—including the content of that communication, or any metadata associated with it—could be shared with the government, since it could be considered to “indicate” or “describe” the threat, or fit into the catchall “any other attribute” category. Instead, the bill should allow sharing only of cyber threat indicators that are reasonably necessary to identify or respond to a narrowly defined cybersecurity threat, and from which “reasonable efforts were made” to remove personally identifiable information, as was the case in the Cybersecurity Act of 2012 (CSA 2012, Sec. 708(7)).
Finally, once an entity identifies a cyber threat, CISA would allow that entity to respond to that threat with an overbroad set of countermeasures, including any “action, device, procedure, technique, or other measure” that prevents or mitigates a threat or vulnerability (CISA, Sec. 2(5)). Terms like “procedure,” “device,” and any “other measure” are so broad that they may be interpreted to authorize any possible countermeasure, including inserting malware or spyware on someone else’s computer, possibly even before they have attacked, as a means of “prevention.” The bill exempts companies from all other provisions of law that would prohibit such hack-back activities, and requires only that these countermeasures be “applied to” information systems of the countering entity or those of parties who have consented to the countermeasures – there is no requirement that the effects of the countermeasures be contained within those systems. Thus, the impact of countermeasures authorized under this bill could be far reaching, and could inadvertently affect countless innocent Internet users who are wholly unrelated to the cybersecurity threat. This provision should be substantially narrowed or removed entirely.
CISA Authorizes Sharing of Unnecessary Personally Identifiable Information (PII): CISA requires only that entities sharing cyber threat indicators must, before sharing, “remove any information contained within such indicators that is known to be personal information of or identifying a United States person, not directly related to a cybersecurity threat” (CISA, Sec. 5(b)(2)(B)). However, because this provision only requires stripping out PII that the sharing entity “knows” is PII of a US person, it provides insufficient protection — especially when compared to the Cybersecurity Act of 2012, which included in its definition of “cyber threat indicator” a requirement to make reasonable efforts to strip all PII (CSA 2012, Sec. 708(7)), whether initially known or not, and whether belonging to a US person or not.
CISA Inadequately Limits Government Use of Information It Receives: CISA authorizes federal, state, local, and tribal governments to use cyber threat indicators they receive in investigations and prosecutions that are far outside the scope of cyber crimes. The federal government may use that information to prevent, investigate, or prosecute not just violations of the Computer Fraud and Abuse Act but also ID document and authentication feature fraud, aggravated ID theft, access device fraud, economic espionage, theft of trade secrets, and violation the Espionage Act, which could have serious implications for whistleblowers who are seeking to disclose abusive or illegal activity or journalists reporting on those abuses. Even worse, state, local and tribal governments can “use, retain, and further share” information they receive for any law enforcement purpose, so long as they obtain the consent of the entity that provided the information.
Instead and at most, CISA should only allow law enforcement uses of cyber threat indicators to protect information systems from cybersecurity threats, and for investigations and prosecutions that pertain to cybersecurity crimes, the imminent threat of death or bodily injury, or a serious threat to minors, as was the case in the Cybersecurity Act of 2012 (CSA 2012, Sec. 704(g)(2)(B)).
CISA Authorizes Companies to Monitor Their Customers’ Activities: The Electronic Communications Privacy Act (ECPA) already allows private entities to intercept communications made over their networks in order to protect their right and property or combat trespassers, and to access the data that they store. CISA undermines the reasonable privacy protections included in those authorities, as well as any other law that protects electronic privacy, by creating a vague new authority for private entities to “monitor” any information “stored on, processed by or transiting” their information systems. (The verb “monitor”, a new term in the law of electronic privacy, is circularly defined as the act of “obtain[ing], identify[ing], or otherwise possess[ing] information that is stored on, processed by, or transiting an information system.” (CISA, Sec. 2(17)). This authority is redundant if read reasonably and dangerous if read unreasonably, and should be cut (CISA, Sec. 4(a)).
CISA’s Liability Protections Leave Customers No Recourse If They Are Wrongly Harmed by Information Sharing: CISA absolves companies of any liability associated with sharing or monitoring of information pursuant to the Act, except for actions that constitute gross negligence (CISA, Sec. 6(b)). A good faith reliance that a company’s conduct was authorized under this Act constitutes a complete defense (CISA, Sec. 6(c)). This provision would preclude causes of action for violations of the Computer Fraud and Abuse Act as well as privacy statutes such as the Stored Communications Act and Wiretap Act portions of ECPA. CISA’s liability protections should be narrowed to ensure that there is reasonable recourse for those harmed in the event that a company unnecessarily monitors or shares their personal information.
Stockpiling of Vulnerabilities and Internet Security: CISA includes a rule of construction that nothing in the bill can be interpreted to modify the authority of the Federal Government “to protect sources and methods and the security of the United States” (CISA, Sec. 8(c)). This language highlights a significant problem that was not contemplated in the Cybersecurity Act of 2012 – that the government is stockpiling vulnerabilities for its own investigative use rather than responsibly disclosing them. The government may interpret this language to authorize it to stockpile vulnerabilities discovered or purchased by the NSA that it would otherwise disclose to companies under the information sharing procedures required under this bill. These procedures, developed by the DNI, DHS Secretary, and Attorney General, in consultation with the heads of appropriate agencies, are also required to be established consistent with protection of sources and methods and national security (CSA 2012, Sec. 3(a)).
This type of stockpiling can have substantial negative consequences for Internet security, as the President’s Review Group noted in its final report: “In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection.... Eliminating the vulnerabilities – ‘patching’ them – strengthens the security of US Government, critical infrastructure, and other computer systems.”[iii] When news of the Heartbleed vulnerability broke, the Administration responded to allegations that the NSA knew about the Heartbleed vulnerability by indicating that it already has an interagency process called the "vulnerabilities equities process,” which establishes when to disclose vulnerabilities.[iv] However, this process is almost completely opaque, and the Administration indicated that it had “reinvigorated” the process in response to the President’s Review Group’s report, suggesting that it hadn't been strongly implemented or consistently followed before the report was released.
The White House and the Intelligence Community have both stated that it is already U.S. policy to disclose vulnerabilities except in the narrowest of cases. This is a policy that the President’s Review Group strongly supported, and that should be codified in any information sharing bill in order to ensure that it is followed.