By Adam Eisgrau
Cross-posted from District Dispatch
It’s baaaaa-aaaack! S. 754, the often and aptly tagged “zombie” Cybersecurity Information Sharing Act of 2015 (CISA) reemerged this month in the Senate in new and, to be fair, somewhat improved guise. Massive opposition by a broad coalition of companies and civil society groups, including ALA, kept an even worse version from a vote this summer. But make no mistake; the bill in its current form is still being (mis)advertised by its sponsors as a means of preventing serious cyber-attacks like those perpetrated recently against the Office of Personnel Management, the Pentagon’s non-classified email system and Sony (among many other businesses).
CISA remains dangerously overbroad in key respects. It continues to pose a serious threat to personal privacy by allowing the internet, phone, financial services, credit bureaus and other institutions that hold your personal information to voluntarily “share” that data with federal security agencies if they believe they see indicators of a cyber-attack. The Department of Homeland Security (DHS) would serve as an initial “portal” for this data which they’d then be obligated to (over)share with many other arms of government at multiple levels, including the Department of Defense (DoD), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and state law enforcement agencies.
ALA and many of its coalition partners support key amendments by Senator Patrick Leahy (D-VT) to protect the Freedom of Information Act (No. 2587) and Senator Al Franken (D-MN) to narrow key definitions of terms like “cyberthreat” to better protect privacy (No. 2612).
Even if they are adopted, ALA urges every member of the Senate to vote “NO” if and when the CISA “Manager’s Amendment” to S. 754 reaches the floor.
Of special concern to libraries is a provision of the bill that, while narrowed in the Manager’s Amendment, could still expose library and municipal networks to disruption at the hands of defensive “countermeasures” taken by a company or government office that believes itself to be under cyber-attack.
In addition, with thanks for these points to the Open Technology institute, ALA also strongly opposes S. 754. Even as amended, the version of CISA that the Senate will vote on in a matter of days is still fatally flawed because of:
- Weak requirements for companies to remove personally identifiable information: The most important improvement the Senate can make to CISA during the amendment and debate process is to enhance the front-end protections for communications content and personally identifiable information (PII) by strengthening the requirement to remove that sensitive and unnecessary information. Strengthening this requirement would reduce all other privacy and civil liberties concerns, since there would be less PII to be mishandled or misused by the government or by companies. Because of how broadly CISA defines the term “cyber threat indicator,” the information that is shared could include a tremendous amount of unnecessary personal information. A chart outlining some of the types of “cyber threat indicators” that could be shared that could reveal the most personal information, is available here.
- Vague definitions of “cybersecurity threat” and “cyber threat indicator”: CISA’s definition for cybersecurity threat is the lynchpin for all of the authorities it creates. Entities may monitor their systems, sharing cyber threat indicators, and deploy defensive measures, in order to protect against a cybersecurity threat. However, CISA’s definition of cybersecurity threat includes any perceived threat, regardless of whether the action or event would be reasonably likely to cause harm. This definition is so broad that CISA could lead to significant over-sharing, which would undermine security objectives by forcing responders to sift through large quantities of unnecessary information, such as information concerning false positives. Additionally, CISA’s definition for cyber threat indicator includes some vague categories related to potential harms and “other attributes” that could lead to companies sharing unnecessary or inactionable content or PII. Thus, CISA’s broad definitions of “cybersecurity threat” and “cyber threat indicator,” and the resulting excessive sharing of useless information could significantly undermine its effectiveness because it could slow down or distract security experts as they try to identify and respond to legitimate threats.
- Authorization to share acquired information with any federal entity, including the NSA: Domestic cybersecurity and information sharing should be controlled by a civilian federal agency. Authorizing sharing with any federal entity enables companies to share information directly with military and intelligence agencies like the DoD, NSA and CIA, which undermines civilian control.
- Unclear authorization for DHS and all other federal entities to delay dissemination of cyber threat indicators to apply privacy guidelines and remove unnecessary PII: While the Manager’s Amendment allows for some delay in dissemination of threat information, delay is only permissible if all appropriate federal entities, including DoD and the Director of National Intelligence consent to the means and purpose of the delay. This undermines civilian control, and does not make clear that DHS has the authority to delay dissemination of cyber threat indicators to other entities in order to apply the privacy guidelines and to remove improperly shared or unnecessary personal information.
Look for an action alert very soon with all the details you’ll need to help stop CISA now. Thanks!
- Op-ed in The Hill: Tech industry leaders oppose CISA as dangerous to privacy and security
- Op-Ed in The Hill: Is CISA gift-wrapped for hackers and nation-state actors?