Reacting to data breaches that have compromised the security of hundreds of millions of Americans in the last year alone, Congress understandably is once again looking to take action to enhance cybersecurity. Enhancing cybersecurity is important—and Congress should take meaningful steps to protect cyberspace. But the Senate’s Cybersecurity Information Sharing Act (CISA) would be a mistake. This bill gives sweeping powers to the government to surveil cyberspace to create a veneer of security rather than incentivizing private sector cyberhygiene practices that would prevent attacks. If the bill reaches the President, he should veto it and demand that Congress develop legislation that addresses cyber threats effectively without jeopardizing our privacy.
What CISA Does
CISA is intended to consolidate and streamline information sharing on cyber threat indicators between the private sector and the government. CISA authorizes private companies to monitor their networks and share any information that falls under the bill’s definition of a threat indicator with the Department of Homeland Security, after scrubbing any personally identifiable information (PII). By consolidating cyber threat data, the bill is intended to make identifying and responding to hacks a more coordinated effort.
CISA asks companies to share any information that could constitute a “threat indicator”; the definition of a threat indicator is so broadly defined that most data could be passed on in the name of security. Any information shared is supposed to be safely ensconced with the Department of Homeland Security – but the bill makes it fairly simple for other agencies, including the NSA, to obtain access to the information shared.
From there, the data can be used in the prosecution of crimes outside of the cyber realm. The act is constructed in a manner that would allow local and state law enforcement to use information shared in cases unrelated to data vulnerabilities.
Cyberhygiene, Not Information Sharing, Is The Most Effective Way to Protect Cyberspace
CISA will be of little help in preventing data breaches and information theft from occurring. For one, the real-time sharing of information that CISA calls for would result in an overwhelming amount of information. The Department of Homeland Security would be receiving a huge volume of data, most of which contains no presence of a cyber-threat. Actual threats would be drowned out by false alarms, making it harder to catch an attack.
At the same time experts agree that information sharing is not the way to prevent massive data breaches. The numbers show that good cyber hygiene would prevent most attacks. According to the Verizon Data Breach Investigations Report, 90% of all incidents are caused by human error and 99.9% of attacks exploit vulnerabilities that have been public for over a year. Updating computer systems, securing end points, and raising awareness on cyber safety are all simple steps that would greatly reduce data breaches. The JP Morgan data breach occurred because a server was left unattended. The Home Depot hack exploited a vulnerability that the company had already been made aware of. The OPM breach occurred because the hackers obtained the log-in credentials of an OPM contractor.
Moreover, information sharing already takes place within the private sector. The larger companies share threat indicators, either directly with one another or through the Information Sharing and Analysis Centers that the government has already established. And as the OPM breach demonstrates, the government is not a secure custodian for personal data.
Serious Privacy Concerns Have Not Been Addressed
These misguided efforts to enact information sharing legislation as a substitute for real cybersecurity measures have been considered by Congress before. In response, privacy groups and the White House outlined fundamental privay problems with the legislation. For example, in response to the 2012 iteration of CISA, the White House released a Statement of Administration Policy that listed the following concerns:
• the bill shared information with the government without protecting personal information
• the bill lacked oversight to ensure that information would only be used for its collected purpose
• the bill protected companies from liability
• and the bill treated cyberspace as a realm for intelligence activities, rather than a civilian space
The 2015 version of CISA fails to address these concerns. For instance, it does not sufficiently protect PII, it allows government agencies easy access to the data collected for broad non-cybersecurity uses, ensures that companies would not be liable for cyber breaches, and functions as a tool for cyber surveillance on the American people. Three years ago the administration said it would veto a bill with such glaring failings; it should be prepared to do the same today.
Congress should take action to protect cyberspace from attacks. But the protections should be both effective at preventing attacks and carefully crafted to protect privacy and constitutional rights. The Constitution Project Liberty and Security Committee’s cybersecurity report, endorsed by national security experts from across the political spectrum, details what a comprehensive and constitutional cybersecurity policy should look like. Its detailed recommendations include the following key safeguards that CISA fails to address adequately:
• Any federal agency developing new or expanded cybersecurity programs should develop a Privacy Impact Assessment (PIA), even if one is not required by the E-Government Act, to provide transparency for the program’s development and ensure that personal privacy and civil liberties are being considered and protected.
• Both legislation passed by Congress and subsequent federal regulations should include key metrics based on existing federal privacy laws such that the repercussions of extending the national cybersecurity initiative into the private sector can be reviewed and changed in the interests of protecting American citizens’ right to privacy. The OMB and the agencies responsible for setting these metrics should conduct regular audits to review these metrics and their application on a recurring basis. In addition, federal agencies responsible for conducting cybersecurity programs should report regularly to Congress on these metrics.
• As Congress clarifies and centralizes national cybersecurity authority, independent oversight should be established to ensure that constitutional safeguards are implemented and followed across federal agencies and private industry.
• Legislation should require periodic mandatory audits by the inspectors general (IG) of the relevant agencies and should require that the IG reports include a discussion of the nature and amount of information being shared with the federal government and how it is used. These reports should be submitted to all congressional committees of jurisdiction and each IG should also prepare an unclassified version that will be made available to the public.
• Congress and the executive branch should develop programs that rely, to the greatest extent possible, on private monitoring of private networks to achieve cybersecurity. As federal agencies work with the private sector to determine which “best practices” should provide the framework for information sharing, network risk management, and other cybersecurity policy, all parties should carefully consider the impact on civil liberties.
• Cybersecurity programs relying on partnerships between the government and the private sector should include specific procedures to limit the sharing of PII between private sector and government actors. The procedures should require that data shared between the government and the private sector should have “sensitive personally identifiable information from Americans removed and sanitized.”
• Any cybersecurity legislation, regulation, or agency directive regarding information sharing should require (1) strict time limits for data retention, (2) data anonymization whenever possible, and (3) policies to diminish the risk of inadvertent or improper disclosure when a cybersecurity program requires the collection and storage of information containing PII. PII should only be collected, retained or disseminated when it is necessary to protect against or mitigate a cybersecurity threat.
• Congress and federal agencies should implement safeguards that place meaningful restrictions on aggregating and/or sharing information obtained in the course of cybersecurity. PII should not be shared with law enforcement officials or relied upon as evidence of a non-cyber crime, unless the PII was legitimately obtained as a necessary component of the data specifically flagged as a possible cybersecurity threat. All other data included in flagged communications should be unavailable for review by traditional law enforcement without first obtaining a warrant.
• Congress should ensure that any and all new legislation and regulations regarding network monitoring and reviewing communication content include a definition of “content” as it is defined under the Wiretap Act.
• Cybersecurity initiatives and technologies that involve the interception of wire, oral or electronic communications must comply with the Wiretap Act and other statutes governing electronic surveillance by government agencies, so that government officials seeking to obtain the content of such communications must first obtain a warrant or order from an appropriate court. All existing exceptions to these statutory requirements, such as the exception for exigent circumstances that would necessitate immediate action should continue to apply.
• Cybersecurity initiatives and technologies intended to protect against threats from foreign powers and agents of foreign powers, including international terrorists, must comply with the FISA, so that where applicable, government officials seeking to obtain the contents of electronic communications must first obtain a warrant through the FISC. All existing FISA exceptions, such as for exigent circumstances, should continue to apply.
• Congress should require that if federal agencies acquire content through cybersecurity operations, that information may only be used as necessary to implement the cybersecurity program and protect networks. Content should not be shared with law enforcement officials or relied upon as evidence of a non-cyber crime, unless the content was legitimately obtained as a necessary component of the data specifically flagged as a possible cybersecurity threat. All other data included in flagged communications should be unavailable for review by traditional law enforcement without first obtaining a warrant.
The Constitution Project Senior Counsel Rita Siemion and Public Policy Intern Paula Kates co-authored this article.