How to Improve Cisa

Just before the Senate left for August recess, there was a furious race to cut short the amendment and debate process, and force passage of the Cybersecurity Information Sharing Act (CISA, S. 754). Thankfully, outspoken privacy and security minded Senators, like Wyden and Franken, heard and responded to the strong opposition of a massive group of privacy advocates, security experts, and grassroots activists who warned that CISA would be bad for privacy, bad for cybersecurity, and bad for national security too.

By stopping CISA’s consideration, these Senators ensured there would be ample opportunity for much needed debate and amendment. Senator Wyden’s amendment would beef up the requirement for companies to remove personal information before sharing indicators with the government. Senator Franken’s amendment would clarify the definitions of “cybersecurity threat” and “cyber threat indicator” to ensure that information that is shared pertains to fewer false positives and contains less content and personal data.

Even the Manager’s Amendment, put forth by the bill’s primary sponsors, Senators Burr and Feinstein, would make important changes: removing one of the more troubling investigative uses to which law enforcement could put information it receives, as well as clarifying that companies can only share information for cybersecurity purposes and that they cannot defend themselves in a manner that would violate federal anti-hacking laws like the Computer Fraud and Abuse Act.

In all, there are 22 amendments to CISA - some OTI strongly supports because they would make meaningful improvements, both from an operational and a privacy perspective; some we oppose because they would make the bill even worse; and some we are neutral on. However, OTI strongly opposes the bill, because even if all of the good amendments passed, and all of the bad amendments failed, CISA would have fatal flaws.

Some of CISA’s remaining problems would include:

• Overbroad authorizations to share cyber threat indicators, monitor users’ activities, and deploy defensive measures “notwithstanding any other provision of law”: It is impossible to know the ultimate scope and impact of such a sweeping authorization. Moreover, with so many companies already sharing information with each other through ISACs and with the government through entities like DHS’s NCCIC and the FBI’s eGuardian, it is unclear why Congress should take the dangerous approach of overriding all law, rather than simply identifying the laws that impede broader information sharing, and crafting narrow exceptions.

• Direct Sharing With Any Federal Entity (Including the NSA): This broad sharing mechanism not only raises serious privacy concerns because it could put the NSA in the driver’s seat for domestic cybersecurity. It also raises real operational concerns. DHS recently warned that CISA would cause “the complexity...and inefficiency of any information sharing program [to] markedly increase,” and it would result in reduced - not increased - situational awareness, thus “limit[ing] the ability of DHS to connect the dots and proactively recognize emerging risks.”

• Remaining Non-Cyber Use Authorizations: While the Manager’s Amendment would remove the most egregious non-cyber use authorization - the authorization to use information to investigate and prevent serious violent felonies like arson, carjacking, and extortion - it still allows law enforcement to use the information it receives in investigations that can be totally unrelated to cyber threats, like identity fraud, and trade secret and Espionage Act violations.

• Information Sharing Is Not a Panacea. It Is - At Best - A 10% Solution: The most prominent breaches, like those at JPMorgan, Home Depot, Sony Pictures, Anthem and more recently at the Office of Personnel Management (OPM), and approximately 90 percent of all attacks in general, are the result of poor digital hygiene, and information sharing would not have done a thing to stop them.

The Senate should maximize on the opportunity to allay some of the most significant concerns about CISA by passing amendments like those put forth by Senators Wyden and Franken. Several of the amendments would make important operational and privacy improvements to CISA. However, even if every amendment that OTI supports passes, we will still oppose the overall bill, in part because there are still several serious problems that are not addressed by any of the amendments offered so far. We will also oppose CISA because incentivizing information sharing is not the solution that Congress thinks it is for addressing the serious cybersecurity issues that our country faces. There are better ways for Congress to enhance cybersecurity. It can find ways to incentivize companies and individuals to engage in good cyber hygiene; promote the use of strong encryption; and ensure that federal agencies have the support, resources and expertise necessary to shore up and then maintain the security of their networks.

OTI has reviewed all of the amendments that may be considered when the Senate next takes up this bill, and a brief analysis of each amendment, along with OTI’s position, is available here.