Yes: the Cyber Information Sharing Act of 2015 (CISA) was slipped into the must-pass Omnibus Spending Bill last week by House negotiators and became law on Friday. No: despite protestations from some quarters, the sky has not fallen on our personal privacy.
Although critics decry CISA for providing the National Security Agency (NSA) with a direct pipeline to all of our personal data, the actual language of the statute does not support this criticism. Rather, when you examine what the statute actually says, you see a measured effort to promote national cybersecurity by encouraging better sharing of cyber threat information among our government and private industry, while addressing privacy concerns.
CISA Privacy Fears
The critique of CISA set forth in a WIRED magazine article published last week reflected the alarm among many in the “privacy community” with the following claim:
“CISA had alarmed the privacy community by giving companies the ability to share cybersecurity information with federal agencies, including the NSA, ‘notwithstanding any other provision of law.’ That means CISA’s information-sharing channel, ostensibly created for responding quickly to hacks and breaches, could also provide a loophole in privacy laws that enabled intelligence and law enforcement surveillance without a warrant.”
What CISA Actually Says
While it is true that CISA directs the Secretary of Homeland Security and the Attorney General to propose within 60 days procedures for private industry to share “cyber threat indicators” with the government agencies – including the NSA – the WIRED magazine critique of CISA disregards CISA’s definition of “cyber threat indicator.” CISA expressly limits “cyber threat indicators” as follows (italics supplied):
“The term ‘cyber threat indicator’ means information that is necessary to describe or identify—
(A) malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
(B) a method of defeating a security control or exploitation of a security vulnerability;
(C) a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
(D) a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
(E) malicious cyber command and control;
(F) the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
(G) any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
(H) any combination thereof.”
In essence, the information that CISA promotes sharing is “reconnaissance,” “vulnerabilities,” “methods,” “harms,” and “attributes” relating to malicious attackers – not data stored in systems under attack. As was observed in the Report of the Senate Intelligence Community recommending the passage of CISA, “this definition limits the information that can be shared under this Act to the techniques and ‘malware’ used by malicious actors to compromise the computer networks of their victims, not sensitive personal and business information contained in such networks.”
Rather than encouraging or even permitting the widespread sharing of personal information between industry and government, CISA mandates that in reporting cyber threat indicators, companies must strip the data reported of any personal information not necessary to the report. Thus CISA expressly bars the widespread sharing of personal information that critics say it invites.
The Significance of CISA’s Liability Limitation Provision
The language in CISA providing for the protection of the personal information has been dismissed by critics as window dressing as a result of the limitation of liability provision in CISA. This provision states, “No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators,” in accordance with the information-sharing procedures developed under CISA. The liability limitation language in CISA is a key provision. Given that participation in the CISA information-sharing program is voluntary, no private company would participate in this program if merely participating subjected the company to liability. Therefore, liability limitation is critical in promoting voluntary participation. But critics suggest that as a result of this protection from liability, private companies will not be bothered to strip personal information from data before sharing it with the government. Thus, wholesale and indiscriminate data collection will ensue.
This critique ignores the fact that the protection from liability is available only to companies sharing information in accordance with the program authorized under CISA, which CISA states must include procedures to protect personal information from unnecessary disclosure. Importantly, CISA provides that a company loses the protection from liability if “it has engaged in gross negligence or willful misconduct in the course of conducting activities authorized by [CISA].” Any company that indiscriminately turns over high volumes of personal information to the government unrelated to “cyber threat indicators” significantly risks losing the liability protection available under the statute.
Why the U.S. Needs CISA
The U.S. faces coordinated cyber attacks from hostile powers and from organized crime. Effectively defending against these threats requires that government and industry cooperate in identifying threats and sharing best practices for defensive measures. CISA is an important step in promoting this cooperation in a way that recognizes that building an effective cyber defense does not require disregard for civil liberties. Privacy advocates should carefully monitor the information-sharing program that the Department of Homeland Security and the Attorney General will announce in the next 60 days to ensure that it includes the protection for private information that CISA mandates. If it does, this program will strike the right balance in protecting our security and our privacy.