Despite the recent victories won by privacy and civil-liberties advocates against the U.S. intelligence community’s surveillance powers, members of the pro-surveillance wings of both parties are not backing down. To wit: the Cybersecurity Information Sharing Act (CISA) is the most recent bill that purports to make government and private-sector responses to cybersecurity threats more efficient.
Introduced by Sen. Richard Burr last March, CISA allows private companies to disclose “cyber threat indicators” to “appropriate federal entities” for the purposes of (quoting the bill):
- protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability;
- identifying a cybersecurity threat, including the source, or a security vulnerability;
- identifying the use of an information system by a foreign adversary or terrorist;
- responding to, or otherwise preventing or mitigating, a serious threat to a minor or an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or use of a weapon of mass destruction; or
- preventing, investigating, disrupting, or prosecuting an offense arising out of an imminent threat of death, serious bodily harm, or serious economic harm, as well as offenses relating to serious violent felonies, fraud and identity theft, espionage and censorship, or trade secrets.
These last two points are particularly worrisome, as such broad discretionary powers essentially permit the government to act on information and prosecute citizens without obtaining a warrant. All it would take is for a private company to voluntarily hand over information it suspects is related to a possible “cyber threat indicator.” Government agencies would then be permitted to pursue any of the aforementioned purposes. The trouble is, “cyber threat indicators” are so broadly defined as to essentially make this entire process a justification for bulk data collection, version 2.0.
Although CISA does not explicitly give the government permission to seek out such data (the information is provided by the voluntary consent of companies), once in the hands of intelligence agencies there is documented evidence to show that the NSA works with other agencies, like the DEA, to carve out parallel reconstructions of investigations, whereby agents claim evidence was obtained through legitimate means when in fact it was “laundered” to the agency from the NSA’s dragnet surveillance programs.
Indeed, the expansive language in the bill essentially circumvents due process. But that is not the bill’s only shortcoming.
In addition, CISA establishes a pathway for intelligence agencies, like the NSA, to share classified reports containing data on zero-day software vulnerabilities. These are reports the NSA generates when looking for security vulnerabilities in software code, or purchases from hackers who have discovered them. The reports are then hidden from public view in the name of national security and with a rhetorical panache that amounts to little more than “just trust us.” The theory behind such acquisitions, and keeping them quiet, is that nobody but “us” can use them. The reality is that any security vulnerability – that is, “backdoor” access into software platforms – can be used by anyone with knowledge of how to get inside. There is no way for the U.S. intelligence community to prevent malicious actors from exploiting these weaknesses. By keeping such information classified, the NSA and other agencies do a great disservice to American cybersecurity efforts. Unfortunately, CISA does not require such reports to be made public; rather, the NSA and other intelligence agencies are merely permitted to release this information if the agencies deem it “appropriate.”
While it can be argued that publicly releasing those weaknesses would merely increase the risk that they are exploited, the reality is that the systems-penetration experts and security specialists employed by companies like Google and Facebook would be able to patch their vulnerabilities relatively quickly – assuming they know of them. In fact, software companies constantly use bug reports submitted by users to update their software security, oftentimes compensating those bringing such flaws to the companies’ attention. Alternatively, the risk of exploitation remains continuously high if companies are not being apprised of their products’ weaknesses.
As Sen. Ron Wyden noted in an April committee vote to report the bill, the simple fact of the matter is that:
The most effective way to protect cybersecurity is to ensure that network owners take responsibility for security and effectively implement good security practices. And it is important to ensure that government agencies do not deliberately weaken security standards.… Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name.
Notably, Sen. Wyden was the lone vote against CISA’s march towards a vote on the Senate floor in the near term. Summing up his apprehensions about the bill’s failings, the senator argued that
This bill is likely to significantly increase government collection of individuals’ personal information, while unfortunately doing relatively little to secure American networks.
Among Wyden’s concerns, he points to (1) its permitting government agencies to use collected information for a broad variety of purposes, not merely for cybersecurity, (2) the broad definition of a cybersecurity threat constituting anything that “may result” in “harm” to a network, and (3) the blanket legal immunity granted to companies providing information to the government, which disincentivizes private firms from securing personally identifiable information (PII).
In short, CISA is essentially a Trojan horse housing expansive surveillance powers inside its seemingly innocuous shell. It appears to be anything but concerned with cybersecurity. It would institutionalize a process whereby companies collecting consumer data would be unaccountable when passing along PII to government agencies, which could use broad “specific selectors” to pick out data on individuals’ activities that could be used to prosecute them sans pesky warrants, due process, or probable cause.
Even if this effort doesn’t appear as nefarious as has been suggested, the recent Office of Personnel and Management (OPM) hack, affecting thousands upon thousands of government and contract employees’ PII, is a clear indicator of the government’s inability to get its own house in secure order. Eli Dourado, director of the Technology Policy Program at the Mercatus Center, points out that it is clear “the government is not a capable steward of sensitive data, while the Snowden leak establishes that intelligence agencies have already been directly extracting certain cyberthreat data from Internet traffic without a warrant.”
There is much to be wary of in this new bill, but in the wake of the recent passage of the USA FREEDOM Act, there is also much to be optimistic about. Edward Snowden put it best in a recent op-ed for the New York Times when he said:
[T]he balance of power is beginning to shift. We are witnessing the emergence of a post-terror generation, one that rejects a worldview defined by a singular tragedy. For the first time since the attacks of Sept. 11, 2001, we see the outline of a politics that turns away from reaction and fear in favor of resilience and reason. With each court victory, with every change in the law, we demonstrate facts are more convincing than fear. As a society, we rediscover that the value of a right is not in what it hides, but in what it protects.
As we move forward on surveillance reform, vigilance will be more necessary than ever, especially against veiled attempts at reinvigorating government surveillance authority in the guise of protecting us from cyber threats.