Controversial Cybersecurity Measure Set for Final Approval
The Cybersecurity Information Sharing Act would hand companies expansive liability protection for sharing threat information with the government.
To its detractors, it’s a surveillance bill in disguise. To its supporters, it’s a critical step toward boosting the cybersecurity of American businesses and government. And with its inclusion in a massive federal spending bill unveiled shortly after midnight Wednesday, the Cybersecurity Information Sharing Act is at last — and all but certainly — headed for final approval.
The bill aims to improve the flow of so-called cyberthreat information — things like bits of code and IP addresses used by hackers — between the government and private sector, and among the government’s many branches. It grants liability protections to businesses as an incentive to pass on that information, through a portal run by the Department of Homeland Security, to the government. The bill also authorizes the federal government, in turn, to share the data in real time with its different parts, including the National Security Agency.
Computer security experts say it is highly unlikely the measure will significantly improve cybersecurity. But amid a series of high-profile breaches of both American government and corporate servers, CISA gained momentum this summer as a way for Congress to take action on the issue, and perhaps bolster security, if even slightly. In theory, better sharing of threat information between the government and the private sector may make it easier to stop certain malware and other attacks. It is highly unlikely that more robust information sharing, however, would have stopped major recent breaches, such as the one at the Office of Personnel Management.
“This is a strong bill that takes an important first step to address a significant drain on our economy and threat to our national security,” Sen. Dianne Feinstein of California, the top Democrat on the Senate Intelligence Committee, said in a statement. Feinstein co-sponsored CISA with the powerful committee’s chairman, Sen. Richard Burr, a Republican from North Carolina.
The Senate approved the measure, 74-21, in October and in recent weeks congressional negotiators have huddled to reconcile CISA with similar, if slightly different House proposals. The compromise unveiled Wednesday, however, may undermine civil liberties protections, according to privacy advocates.
Privacy advocates and information-sharing proponents for months have battled over whether DHS or some other agency — perhaps within the military establishment, such as the NSA — should be the primary recipient of threat data. Privacy advocates have always argued that DHS, with its more stringent privacy protections, should operate the portal to which companies submit threat information.
In the final version of their bill they’ve gotten their wish — but with a caveat.
DHS will operate the portal used to gather and immediately share data with the rest of the government. But the bill also authorizes the White House to set up a separate portal if the president deems the DHS version insufficient or ineffective. Grassroots privacy organizations such as Fight for the Future have opposed the bill in its entirety but have argued that if the bill is to become law housing the portal at DHS would be the “least terrible option,” in the words of Evan Greer, Fight for the Future’s campaign director.
A White House memo obtained by Reuters detailed Obama administration efforts to lobby against CISA language that included an “unnecessary prohibition” on sharing data directly with the NSA. The bill authorizes firms to share data directly with the NSA, but only offers liability protections to companies who use the DHS portal.
The final version of the bill leaves it to DHS and the Justice Department to create guidelines for preventing data on individuals from being shared with the federal government. That marks an effort to minimize potential civil liberties violations; the bill also requires companies to review data shared with the government, and remove any personal information not “directly related to a cybersecurity threat.”
According to Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute, that review process lacks clear standards. Moreover, she said, information “directly related to a cybersecurity threat” may include data on victims of cyberattacks, and could funnel their personal information into the government’s hands.
Under the bill, most of the cyber threat information shared with the government will only be used to minimize risks. But in select cases, the information could be shared with law enforcement to stop a “specific threat” of death, bodily harm, or a terror attack. The data could also be used by to prosecute fraud and identity theft crimes, cases of espionage, and to protect trade secrets.
These civil liberties protections fall short of earlier proposals, and has angered privacy advocates.
“This ‘cybersecurity’ bill was a bad bill when it passed the Senate, and it is an even worse bill today. Americans deserve policies that protect both their security and their liberty,” said Sen. Ron Wyden (D-Ore.). “This bill fails on both counts.”
The business community has lobbied hard for CISA’s passage, largely because of the expansive liability protections it offers. Under current laws, companies already share attack information with the federal government and within industry groups. Yet some firms remain nervous about doing so, afraid that data-sharing may expose them to legal action from customers who allege mishandling of private information.
Extending liability protections may be one way to expand such information-sharing. Even if it fails to do so, protection from what industry lobbyists call “frivolous lawsuits” over information shared with the government is a key goal for business groups.
U.S. Chamber of Commerce President and CEO Thomas J. Donohue called the CISA plan “our best chance yet to help address this economic and national security priority in a meaningful way, and help prevent further attacks.”
The Financial Services Roundtable, another industry group among those that lobbied for the measure, cheered CISA’s inclusion in the overall spending plan. “This cyber bill is a ‘team America’ approach that will significantly improve efforts to fight cyber criminals and better protect consumer data and intellectual property,” FSR President and CEO Tim Pawlenty said in a statement.
But not all companies lined up behind the measure. CISA drew intense opposition from prominent tech companies, including Apple and Dropbox, which argued an earlier version of the bill fell short in protecting users’ personal information.
The House is set to vote on the spending plan bill later this week, and will then head to the Senate. White House Press Secretary Josh Earnest indicated Wednesday that Obama is likely to sign the measure into law when it arrives on his desk.
JIM WATSON/AFP/Getty Images