The Senate is expected to consider the Cybersecurity Information Sharing Act (CISA) (S. 754) soon. Information sharing legislation that would fill gaps in existing law to make it easier for companies to share cyber threat indicators (CTIs) is probably necessary. Unfortunately, CISA is not the answer for many reasons.
First, CISA is actually a surveillance bill dressed in cybersecurity clothing. The bill allows the government to use – for completely unrelated criminal investigations – the CTIs companies share for cybersecurity purposes, bypassing warrant requirements that would otherwise apply. In addition, CISA requires the Department of Homeland Security (DHS) to share in real time the CTIs it receives with all “appropriate government agencies.” As a result, CTIs must immediately be given to the NSA, without any time to put in place privacy-protective measures beforehand.
Second, CISA acts like a sledgehammer rather than a scalpel, in that it preempts all other laws across the board. This will have serious, unintended consequences for privacy as well as cybersecurity. So will other provisions of the bill. For example, the bill requires companies to review CTIs before sharing them, and to strip out information they “know” is not directly related to a cybersecurity threat. Because CISA preempts all privacy laws, companies may opt to send the government everything they have that could potentially be related to any cyber threat, even if a closer look would show that it was not.
CISA also preempts the Computer Fraud and Abuse Act (CFAA) and allows a company to deploy countermeasures on its network that cause harm to others’ networks and data, so long as the harm is not “substantial.” Courts will be left to figure out what constitutes a “substantial” harm. Many countermeasures that were previously illegal would become fair game. This is dangerous because attack attribution is hard to do reliably, and a countermeasure can harm the network of an innocent bystander.
Twenty-two amendments have been proposed to fix CISA’s many flaws, including a manager’s amendment released by CISA’s co-sponsors. The amendments address some of the problems in the bill, but none of them turn this sledgehammer into the scalpel that is needed. For example, the manager’s amendment would remove certain felonies from the list of crimes for which CTIs could be used to investigate, but still permit the government to use CTIs to investigate other crimes such as espionage, identity theft, censorship, and trade secrets violations.
Congress still has a lot of work to do. It should approve the amendments Senators Wyden (D-OR) and Heller (R-NV) have proposed to strengthen the requirement that companies remove personal information from CTIs before they share them. It should adopt the House approach of ensuring that companies share CTIs with DHS, as opposed to with a military intelligence agency that would be less transparent. It should approve amendments to promote transparency, such as Sen. Tester’s (D-MT) amendment, and amendments to provide more flexibility and time for privacy-protective measures to be applied before CTIs are shared with other government agencies, such as Senator Carper’s (D-DE) amendment.
Finally, CISA should not be the only cybersecurity game in town. Congress should promote cybersecurity by prohibiting the NSA from stockpiling “zero-day” vulnerabilities, and instead require it (with limited exception) to share those vulnerabilities with the companies that can patch them. Other cyber hygiene measures such as promoting and protecting security research and facilitating “bug bounty” programs should be considered. They would make more of a difference to cybersecurity than would CISA, and do it without the blow to privacy that CISA represents.
Jadzia Butler co-authored this article. She is the Privacy, Surveillance, and Security Fellow at CDT.
