Last Week in Tech Law and Policy, Vol. 25: The CISA/CISPA See-Saw of Cybersecurity

The government intelligence community has long vocally advocated for so-called “backdoors” in encrypted digital communications systems. Proponents of these special modes of entry and intercept into otherwise protected databases and communications believe they are a necessary part of national security in the modern age. However, attempts to statutorily codify these ideas have met significant opposition.

Not to be deterred, the government is currently seeking alternate ways to gather information about suspected criminals and terrorists. Two weeks ago, the Senate passed the Cybersecurity Intelligence Sharing Act (CISA). This bill seeks primarily to permit information technology companies to “voluntarily” share information about security threats with the Department of Homeland Security. Companies would be given immunity both from liability and from FOIA requests regarding this information sharing. A proposed amendment that would have required the scrubbing of personally identifiable information in this information sharing failed to pass.

CISA is in many ways a reiteration of Congress’s previous attempt to create such mechanisms for gaining information related to potential cyber-threats and homeland security issues, the Cyber Intelligence Sharing and Protection Act (CISPA).

CISPA passed in the U.S. House of Representatives, but was believed to have died in the Senate as a result of heavy public opposition. However, Chairwoman of the Senate Intelligence Committee, Sen. Dianne Fienstein (D-CA) and Sen. Richard Burr (R-NC) have lead the most recent effort to introduce CISA, which many advocates have identified as being largely the same bill. Other similar bills type have also recently moved through the legislative process, although they have gained less traction.

Thus far, CISA has received a similar rhetorical trouncing as its predecessor. Natasha Lennard at The Intercept opined that “[it]t is the very meaning of a surveillance state: a corporate-government nexus under which no personal data is shielded.” Specifically, the most common criticism of CISA has been the broad, vague language of the bill’s information sharing provisions. Mike Goodwin at Slate.com describes the issue:

What’s a “cyber threat indicator”? Section 2 of the bill . . . offers a definition so broad that it’s hard to be certain, even after multiple rereadings, what this term doesn’t include. It appears to cover any “information” that would “describe or identify” any “method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability.” This language could apply to anything.

Other critics have observed that the bill provides no mechanisms for checking the actual utility of CISA’s measures. As Brian Krebs notes, “The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches.” Indeed, there is reason to believe that, even if enacted, CISA would be ineffective as a national security or cybersecurity measure.

Despite forceful opposition to CISPA from the Obama administration, many privacy advocates have been surprised to see the White House recently come out in favor of CISA. Other proponents of CISA (among them the Telecommunications Industry Association, The Heritage Foundation, and—allegedly—Facebook) have argued that the bill is merely meant to be a cybersecurity measure, but there is continued reason to believe that such rhetoric masks the surveillance threat that is believed would come with it.

Other critics, acknowledging the legitimate security aims, have concurred that CISA’s sweeping language reaches too far and that implementing privacy-protecting amendments would be both legislatively and practically impossible. Perhaps most surprisingly, the Department of Homeland Security has joined privacy advocates in condemning CISA as overbroad and unnecessary to achieve its desired ends.

In light of recent mass-scale cyber attacks and infrastructure vulnerabilities that have already been identified, there is no doubt that improved cybersecurity is—and should be—a high priority for Congress. However, technical realities, lack of accountability, and built-in incentives to misuse overbroad legislative mandates continue to plague the government’s attempts to address national security issues.