October 4, 2016
On December 18, 2015, President Obama signed the Cybersecurity Information Sharing Act (CISA) into law as part of a 2,000 page omnibus spending bill. As drafted, CISA was intended to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” The act authorized the creation of a system for corporate informants to provide customers’ data to the Department of Homeland Security (DHS), which, in turn, would share this information with other federal agencies, including the Departments of Commerce, Defense (which includes the NSA), Energy, Justice (which includes the FBI), the Treasury (which oversees the IRS), and the Office of the Director of National Intelligence.
As Sam Thielman of the Guardian reported, civil liberties experts had been “dismayed” when Congress used the omnibus spending bill to advance some of the legislation’s “most invasive” components. Anthony Romero of the American Civil Liberties Union criticized Congress for using the spending bill “to pursue their extremist agendas.” “Sneaking damaging and discriminatory riders into a must-pass bill usurps the democratic process,” he told the Guardian. Lauren Weinstein, who cofounded People For Internet Responsibility, also spoke critically of the legislation: “There is not a culture of security and privacy established in the government yet. You have to have that before you even consider sharing the amounts of data [CISA] would cover.” Evan Greer of Fight for the Future called CISA “a disingenuous attempt to quietly expand the US government’s surveillance programs.”
In July 2015, Senate Majority Leader Mitch McConnell had attempted to attach the bill as an amendment to the annual National Defense Authorization Act, but the Senate blocked this by a vote of 56-40.
As Andy Greenberg reported for Wired, the final Senate version of the bill removed personal information protections that privacy advocates had fought successfully to have included in a previous version. Greenberg reported that CISA had “alarmed the privacy community” by providing a loophole in privacy laws that would enable intelligence and law enforcement officials to engage in surveillance without warrants. The version of CISA approved in the Senate by a vote of 74 to 21 in October 2015, Greenberg reported, “creates the ability for the president to set up ‘portals’ for agencies like the FBI and the Office of the Director of National Intelligence, so that companies hand information directly to law enforcement and intelligence agencies instead of to the Department of Homeland Security.” Commenting on this aspect of the legislation, Jadzia Butler and Greg Nojeim of the Center for Democracy and Technology wrote, “Information shared for cybersecurity reasons should be used for cybersecurity purposes, but this legislation does not impose this simple requirement.”
Greenberg’s Wired article noted that tech firms—including Apple, Twitter, and Reddit—as well as fifty-five civil liberties groups had opposed the bill, and that, in July 2015, DHS itself warned that the bill would “sweep away privacy protections” while inundating the agency with data of “dubious” value.
In April 2016, Jason R. Edgecombe reported for TechCrunch on the release by DHS and the Department of Justice of additional “Privacy and Civil Liberties Interim Guidelines” to supplement CISA. The interim guidelines aimed to address continued concerns over inadequate privacy safeguards. In particular, the language of CISA required that private entities sharing information with the government only had to protect “information that the entity knows at the time of sharing to be personal information or information that identifies a specific person” (emphasis added). As Edgecombe observed, “This is a low bar: If the entity doing the sharing isn’t aware ‘at the time of sharing’ that a CTI [cyber threat indicator] identifies a specific person, it is not required to de-identify that information.”
The interim guidelines required DHS and other government agencies receiving private information under CISA to review cyber threat indicators for personally identifiable information and to remove it before sharing the data further. As Edgecombe reported, however, the interim guidelines only protect personal information “not directly linked to a cybersecurity threat.” And they do not require destruction of personal information unless it is “known not to be directly related to uses authorized under CISA.” As he reported, this wording created a “potentially vast loophole,” because CISA authorized “a number of law enforcement activities unrelated to cybersecurity.” “The best way to prevent personal information from falling into the hands of the feds,” Edgecombe concluded, “is for non-governmental entities to decline to share it in the first place.” As Censored 2017 went to press, the DHS/DOJ final guidelines had not yet been made public.
Assessing where presidential candidates Hillary Clinton, Bernie Sanders, and Donald Trump stand on cybersecurity issues, Violet Blue of Engadget reported that, while most people felt that CISA did not go far enough in protecting citizens’ privacy, “Clinton felt the law didn’t go far enough in facilitating the sharing of data between companies and the government.” Sanders voted against CISA. (“Our civil liberties and right to privacy shouldn’t be the price we pay for security. #CISA”, he tweeted on October 22, 2015.) Though Trump had not taken a specific position on CISA, Blue noted, “Trump is an outspoken supporter of government surveillance.” The NSA, he has said, “should be given as much leeway as possible.”
In November 2015, NBC News asked, “Why aren’t Presidential Candidates Talking about Cybersecurity?” The story noted that Sanders was the only candidate (other than Republican Rand Paul) to oppose CISA, and it included a “quick primer” on CISA that consisted of two sentences. On December 22, 2015, CNBC’s Everett Rosenfeld reported on President Obama having signed the “controversial ‘surveillance’ act,” but this report was derivative of Andy Greenberg’s previous report for Wired.
Andy Greenberg, “Congress Slips CISA into a Budget Bill That’s Sure to Pass,” Wired, December 16, 2015, http://www.wired.com/2015/12/congress-slips-cisa-into-omnibus-bill-thats-sure-to-pass/.
Sam Thielman, “Congress Adds Contested Cybersecurity Measures to ‘Must-Pass’ Spending Bill,” Guardian, December 16, 2015, http://www.theguardian.com/us-news/2015/dec/16/congress-cybersecurity-information-sharing-cisa-spending-bill.
Jason R. Edgecombe, “Interim Guidelines to the Cybersecurity Information Sharing Act,” TechCrunch, April 13, 2016, http://techcrunch.com/2016/04/13/interim-guidelines-to-the-cybersecurity-information-sharing-act/.
Violet Blue, “Where the Candidates Stand on Cyber Issues,” Engadget, May 13, 2016, http://www.engadget.com/2016/05/13/where-the-candidates-stand-on-cyber-issues/.