As Senate Cybersecurity Vote Nears, CISA Remains Seriously Flawed
This week, the U.S. Senate will vote on the Cybersecurity Information Sharing Act. Also known as “CISA,” the bill aims to improve cybersecurity by making it easier for companies and the government to share information about potential cyber threats with each other. (The latest version of CISA is here; a package of amendments slated to be voted on is here.) But CISA suffers from a serious flaw that Senate lawmakers have repeatedly ignored: the bill doesn’t put agencies on the hook if they misuse information shared with them in the name of cybersecurity.
CISA’s basic premise—that information sharing can improve cybersecurity—makes sense, as I’ve long argued. Every day, big Internet companies deal with all kinds of cyber attacks, many of which target data that providers store on their customers’ behalf. Internet firms learn from the attacks they experience, and over time, they can improve the resiliency of their systems. Similarly, the more willing companies are to share information about cyber threats with federal agencies upon request, the better the government will be equipped to investigate and punish cyber criminals.
But a thicket of state and federal laws limit how companies can share what they learn about cyber attacks with other businesses or government agencies. To encourage information sharing between the private and public sectors, CISA protects companies from lawsuits if they share data about bona fide cybersecurity risks—known as “cyber threat indicators”—even if such sharing is not otherwise allowed under existing state or federal law.
Under CISA, companies that face a diverse array of cyber attacks may well end up sharing many different kinds of information with the government. Although the bill lets companies share only information that’s “necessary to describe or identify” a cyber threat, the language is broad enough to potentially encompass relatively innocuous information. For example, New America’s Open Technology Institute has noted that an “online banking customer who mistypes their password too many times and gets locked out of their account may initially be perceived as a threat by their bank.” CISA also requires companies to strip personal information from cyber threat indicators prior to sharing them, but only if the company actually “knows at the time of sharing” that the indicator contains personal information.
CISA supporters maintain that “[i]n the vast majority of cyber incidents, [cyber threat indicators] do not implicate a person’s behavioral, financial, or social information.” If a company adopts too liberal a construction of the bill, it might lose protection from liability. Moreover, regardless of CISA’s definitions, companies stand to suffer in the market if word gets out that they casually hand out private individual data to the government based on a hunch that it might describe some cyber threat.
Still, many privacy-focused groups oppose CISA, calling it a “cyber surveillance bill” on the grounds that it makes it too easy for the government to strong-arm companies into handing over customer information. Do these groups exaggerate the extent to which the legislation is likely to undermine Americans’ privacy in the real world? Perhaps—but there is a real risk that the federal government will insist on interpreting CISA as broadly as possible in hopes that companies will divulge information freely, even if its relevance to a cyber threat is fairly tenuous. Could a private email thread that mentions a newly discovered software vulnerability end up in the feds’ hands under CISA? It’s a possibility we can’t rule out, at least until federal courts clarify the contours of the law.
This is not to say that Congress should abandon cyber info sharing legislation entirely, nor that lawmakers must define statutory terms so precisely that the law will need a rewrite every few years. But if Congress wants to lift barriers to beneficial information sharing without endangering individual privacy, it’s essential that any legislation contains robust safeguards against unwanted uses of information. In particular, because CISA lets companies hand over non-public information to the government in ways that would otherwise violate the law, the bill should include a “meaningful deterrent against government agencies using information they receive from companies in ways that exceed the uses authorized by the [legislation],” as I explained in early August.
How does CISA address the potential for government abuse? It requires the Attorney General and Secretary of Homeland Security to create procedures that govern how federal agencies may use cyber threat information they receive, and provide “appropriate sanctions” for federal employees who “knowingly and willfully” violate the law. The bill also bars agencies from using shared cyber threat indicators to regulate any company’s behavior, unless it relates to cybersecurity. And CISA bans federal entities from using shared cyber threat indicators except for limited purposes relating to cybersecurity, threats of seriously bodily or economic harm, serious threats to a minor, or for investigating certain other criminal offenses involving economic loss.
Missing from CISA, however, is a crucial safeguard: a “private right of action” that lets people sue the government if they’re injured when an agency misuses personal information it receives from a company for cybersecurity reasons. Including such a provision should be a no-brainer—it can be found in nearly every other major cybersecurity bill that’s made it out of committee in Congress. For instance, the two cybersecurity bills that passed the House earlier this year—the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act—both contain a private right of action. So did the Cyber Intelligence Sharing and Protection Act, which passed the House in 2012 and again in 2013.
If we could count on government agencies to effectively and reliably police themselves, a private right of action wouldn’t be necessary. In reality, however, agency officials violate the law all the time, and they rarely face serious consequences—if any. From “epidemic[s]” of federal prosecutorial misconduct to removing classified federal records from agency systems to lying while under oath to a congressional committee, officials all too often skirt their legal duties with impunity. That’s why Congress must let people who are injured by official misconduct sue the government for damages; otherwise, agencies can hide behind sovereign immunity to avoid liability for wrongdoing.
Say a federal prosecutor decides to investigate a person for potential criminal misconduct based on suspicions derived from information shared with the federal government by a cloud computing provider under CISA. If the person ends up facing prosecution for something unrelated to CISA’s narrow list of permitted uses of cyber threat information, what can she do? Without a private right of action, successfully suing for damages is out of the question. Requesting an internal investigation of the prosecutor’s behavior is an option—but how such an inquiry is resolved is up to Department of Justice, not an independent judge. Asking a court to suppress evidence is another possibility, but CISA never mentions such a remedy for information derived from cyber threat indicators—and courts are very reluctant to suppress evidence simply because the government obtained it in violation of some statute, unless the statute expressly requires suppression. See, e.g., Sanchez-Llamas v. Oregon, 548 U.S. 331, 348 (2006).
To be clear, sharing information under CISA is voluntary: the bill doesn’t force companies to hand over information to the government or to other firms. But CISA’s safeguards create the appearance that federal agencies will land in hot water if they misuse the information they receive. Consider this scenario: a top federal official asks an Internet company to “volunteer” some information that’s thought to indicate a cyber threat, but the company fears that sharing the data might implicate its users’ privacy. “Don’t worry,” the official says, “we’re only allowed to use what you share with us to protect Americans from cyber attacks—the law says we can’t use this data to investigate crimes or enforce regulations except for the purpose of cybersecurity. Besides, federal procedures limit how we can share this information with other agencies.”
For many Internet companies, resisting such a pitch—especially one delivered by a top federal official—will not come easily. From state attorneys general to United States Senators, prominent public officials have a long track record of “persuading” private companies to “voluntarily” take actions that the government could not legally compel them to do. Shielding companies from potentially serious liability for sharing information about cyber threats will surely invite more sharing, thus improving our cybersecurity awareness—but freer information flows between companies and the government implicate our liberty as well as our cybersecurity.
If CISA’s backers in the Senate are sincere when they insist that the bill isn’t about mass surveillance, the best way they can prove it is by letting Americans who suffer if and when federal agencies misuse cyber threat information have their day in court. Until and unless the bill is so amended, however, passing it would be a serious mistake.