The “Cybersecurity Information Sharing Act” Cometh

When it rains it pours, and this seems to be the summer of all things surveillance, privacy, and cybersecurity on the Hill.

The past few months have seen a deluge of new bills and proposals. From passage of the USA FREEDOM Act and associated House amendments supporting surveillance reform, to various cybersecurity information-sharing bills, emergent consternations against strong encryption standards, and reform of the Electronic Communications Privacy Act (ECPA). Especially in the wake of the recent Office of Personnel and Management (OPM) hack, cybersecurity has recently been catapulted to the fore of the policy landscape.

Amidst this backdrop is the Cybersecurity Information Sharing Act (CISA) that invokes the use of “cyber-threat indicators” for purposes expressed either in CISA or in 18 USC 3559 c(2)(F). This portion of the U.S. code includes “serious violent felonies,” including murder, assault with the intent to commit murder, assault with the intent to commit rape, aggravated sexual abuse, abusive sexual contact, kidnapping, aircraft piracy, robbery, carjacking, extortion, arson, firearms use, firearms possession, or attempt, conspiracy, or solicitation to commit any of the above – all of this sans any need to acquire a warrant. Due process could very well be a thing of the past if CISA passes.

Cato’s Patrick Eddington, writing at Just Security, notes there are far more questions about CISA’s provisions and efficacy than answers. His pointed conclusion is that “it’s hard not to come away with the belief that the bill is a political exercise rather than a serious effort to prevent more government data breaches.” Indeed, in the wake of the recent OPM hack, this seems more an effort by legislators to appear as though they are addressing cybersecurity concerns, while leaving the core problems unaddressed.

If this were merely a theatrical bill with no teeth, there would be little cause for concern. In fact, CISA’s seemingly inoffensive language actually houses a number of concerns, prompting many privacy advocates and legislators to consider the bill a Trojan Horse for expanded state surveillance. Although CISA has been billed as a cybersecurity bill, the reality of the bill’s text is that information shared need not pertain merely to cyber-threat indicators, especially given how broad the definition of these indicators is. Moreover, there are no actual restrictions on sharing information received by any federal entity, from the IRS to the DNR.

The major concerns with CISA are:

• broad definitions of “cyber threat indicators,” which permit law enforcement agencies to prosecute Americans for crimes unrelated to cybersecurity hacks;
• lack of robust protections for personally identifiable information (PII), specifically the absence of mandatory “scrubbing” provisions that would de-identify such information;
• inclusion of liability protections for corporations that “voluntarily” pass information along to intelligence agencies, thereby disincentivizing the corporations from implementing privacy best practices when passing along data;
• lack of any sunset provision or oversight and transparency controls; and
• lack of any reporting requirement to determine the efficacy of the program.

To put CISA in the broader context of this legislative session, Congress and the executive branch have moved forward with a wide range of bills and presidential memoranda that purport to enhance privacy protections and cybersecurity. From President Obama’s order mandating the creation of the Cyber Threat Indicator Integration Center (CTIIC) to CISA, the federal government seems to be working extra hard to create a whole new layer of bureaucracy to handle what an already expansive bureaucratic system has been unable to do: secure government networks against malicious hackers.

As Eli Dourado and Andrea Castillo of the Mercatus Center’s Technology Policy Program pointed out in a recent policy brief, “Laws like CISA could open another channel for intelligence agencies to extract private data for criminal investigations completely unrelated to cybersecurity.” They go on to point out that:

In the worst-case scenario, high-profile information sharing measures like CISA will serve to ultimately weaken cybersecurity if they instill a false sense of security among government and private actors, leading them to neglect these other critical factors that are arguably more imperative for robust cybersecurity.

Indeed it is often the case that, no matter how well-intentioned government-imposed standards may be for a particular industry’s best practices in security, the result of enshrining such practices in legislation results in an underinvestment in innovation and building-out new, more effective measures for combating security breaches. Especially when looking at CISA’s legal-liability immunization provision for companies sharing PII with federal agencies, there is little incentive for companies to do anything more than the bare minimum in “scrubbing” the data they pass along. If companies are insulated from legal hazards, their risk-tolerance for information-sharing is likely to skyrocket.

Dourado and Castillo argue there are far better policy alternatives for securing the federal government’s networks, such as requiring

encrypted connection for all government websites. Likewise, government agencies should cease the practice of purchasing “zero-day exploits,” or publicly unknown security vulnerabilities, without notifying the relevant parties of discovered system weaknesses. Finally, government agencies can simultaneously improve their own system defenses and promote private sector security by purchasing cyber security insurance policies for their own networks and thereby stimulating this industry.

From redundant federal agencies dealing with cyber-threat indicators and cybersecurity, to discussions of information-sharing and weakening encryption standards, the government is engaged in a renewed push for surveillance over online communications. As Congress mulls over what to do in the wake of recently publicized hacks, it would behoove legislators to remember that the mere occurrence of a breach is not a necessary and sufficient condition for ramming rough draft legislation like CISA to a vote without carefully considering the possible alternatives to technocratic legislation that would undermine the dynamism of the Internet.

As I noted in a recent blog post, sometimes the best solution to complex problems is not top-down technocratic legislation, but bottom-up, trust-based relationships among dispersed decentralized networks of security experts and network watchdog organizations. As Friedrich Hayek once noted:

The knowledge of the circumstances of which we must make use never exists in concentrated or integrated form but solely as the dispersed bits of incomplete and frequently contradictory knowledge which all the separate individuals possess.

No one individual ever has all the knowledge at any given time or place necessary to make a truly informed decision on behalf of all other individuals. Neither individuals nor an elite can ever know enough to fully control a complex decentralized global communications platform — the Internet. We shouldn’t be lured into thinking CISA is the silver bullet that will prevent another OPM hack. Until the government gets its own house in order vis-a-vis network security, it probably shouldn’t be trusted with a deluge of more personal information from the American public.