Yesterday was a busy day regarding the Cybersecurity Information Sharing Act (CISA). Sens. Dianne Feinstein and Richard Burr, the cosponsors of CISA, introduced a manager’s amendment that addresses some of the more concerning elements in the bill.
The amendment, however, is far from perfect.
In particular, it does not address the lack of remedies for individuals damaged by government abuses committed under the cover of cyber-threat prevention. As Ryan Radia, associate director of technology studies at the Competitive Enterprise Institute, notes:
[It is] critical that any cyber information sharing legislation include a provision that gives relief to individuals injured by governmental misuse of information shared by companies. In this Congress, and in the last two Congresses, the House passed cyber threat information sharing legislation that allowed injured parties to sue the government for damages (i.e., a waiver of sovereign immunity). Another approach to deterring misconduct … would bar the government from using evidence in court that is derived from shared cyber threat information for purposes beyond those allowed by the bill. Either a waiver of sovereign immunity or a suppression remedy needs to be included in any bill that liberalizes information sharing, or else companies won’t be able to meaningfully ensure that the government doesn’t use information they share with it for impermissible purposes.
Additionally, while the bill no longer contains a provision to allow law enforcement agencies to use data obtained under CISA authority to prosecute crimes unrelated to cybersecurity, other nonviolent offenses, such as trade secret and identity theft, could still be investigated and prosecuted. So the manager’s amendment certainly improves CISA in many ways, but it is still less than ideal from a civil-libertarian perspective.
Unfortunately, it is currently uncertain how many amendments will be permitted to hit the floor to rectify the problems with CISA. Even more uncertain is how much time the Senate will have to debate this legislation. With the failure of a cloture vote, Majority Leader Mitch McConnell and other Senate surveillance hawks won’t be able to push the bill to a vote before Wednesday. Add to that the coming recess—mere days away—and it becomes clear that time is quickly running out for significant improvements to the bill.
But the CISA news doesn’t end there; yesterday it was also revealed that at least one federal agency is kicking up a fuss regarding some of CISA’s provisions.
The Hill’s Cory Bennett has penned an article discussing the concerns that the Department of Homeland Security (DHS) recently made public in a letter to Sen. Al Franken, the ranking Democratic senator on the Senate Judiciary Subcommittee on Privacy, Technology, and the Law. DHS Deputy Secretary Alejandro Mayorkas made clear in the letter that DHS is particularly concerned over the unnecessarily expansive definition of cyber-threat indicators. This, he said, would likely result in a deluge of information unrelated to cybersecurity into DHS, sweeping away many privacy protections and undermining the National Cybersecurity and Communications Integration Center (NCCIC), operated under the auspices of DHS as the central hub of voluntary information-sharing between federal and nonfederal entities.
In addition to other problems with CISA (which I’ve detailed at length in a number of blog posts as well as a recent article in The Hill), the letter indicates that the bill “will increase the complexity and difficulty of a new information sharing program” and argues that a requirement for “sharing in ‘real time’ and ‘not subject to any delay [or] modification’ raises concerns relating to operational analysis and privacy.” If DHS is required to transmit information in ”real time,” it raises a host of problems that would complicate efforts to properly scrub data for personally identifiable information, potentially compromising the privacy of Americans.
The letter concludes:
We have concerns with a bill that permits sharing with agencies other than DHS “notwithstanding any other provision of law,” and that mandates real-time dissemination of indicators without delay or modification. These provisions would undermine the policy goals that were thoughtfully constructed to maximize privacy and accuracy of information …
This is a telling admission on the part of the government. If the agency that is to be charged with serving as the clearinghouse for all cybersecurity-related information-sharing is raising concerns about CISA, the Senate clearly needs to reassess the bill.
Between the concerns of privacy advocates, the desire of many senators to have a longer and more involved amendment process, and now the revelation that the DHS is less-than-supportive of the bill, it seems the cards are beginning to stack up against CISA. What happens next will determine whether this week ends with a vote on the bill, or delays its consideration until after the August recess.