The Cybersecurity Information Sharing Act (CISA) is either the key to combating hackers or a dire threat to Americans’ privacy—it just depends who you ask.
CISA, which will soon come up for a vote in the Senate, aims to improve public and private cybersecurity efforts by letting companies sharing information about cyberthreats with the U.S. government and respond to some of those threats themselves.
Despite the urgent need for national cybersecurity improvements, privacy groups and security experts oppose CISA—known in the Senate as S.754—because of provisions that they call vague and overreaching.
You might think that the process of companies and government agencies working together to track down cyberthreats doesn’t affect you. But if CISA becomes law, it could have a direct impact on your life, depending on how the government interprets its provisions.
So, what is CISA?
CISA is a bill that would make it easier for private businesses to tell the government, “Hey look, we detected a cyberattack, and here are the indicators of what the hackers were doing.”
These so-called “cyberthreat indicators” are key to building a system to repel cyberattacks. Just as doctors look for early signs of a disease to know how and when to take preventive measures, so too does the government rely on indicators of malicious computer activity to batten down the hatches before it’s too late; it also lets them look for similar attacks in the future.
How does CISA work?
Within 180 of CISA’s enactment, the federal government must set up a process that companies can use to send cyberthreat data to a designated government agency. The Department of Homeland Security must have a plan in place within 90 days to receive data on behalf of the government.
The procedures laid out by the government must explain in detail both the kinds of information that the government considers cyberthreat indicators and the kinds of information that cannot be shared because of existing privacy laws.
The bill contains vague warnings that the government’s procedures should be written to “limit the impact [of cyber-sharing behavior] on privacy and civil liberties,” but specific protections are not enumerated.
What are these “cyberthreat indicators” that private companies can share?
The bill defines an indicator as any information that “is necessary to describe or identify”…
- “Malicious reconnaissance,” like spy software that records passwords
- Code that defeats a security measure or exploits a security flaw
- “A security vulnerability,” including strange network activity that could indicate a vulnerability
- Code that causes a legitimate user of a system to unknowingly exploit a security bug or bypass a security measure for the benefit of third-party hackers
- “Malicious cyber command and control,” like bits of software code that point to the entity directing the attack
- The “actual or potential” consequences of a cyberattack, including descriptions of stolen data
The bill also lets companies share any other data related to cybersecurity threats unless that information cannot legally be shared due to other laws.
That last part sounds… pretty vague.
The government’s guidelines have to include requirements for preventing the misuse of shared data containing personal information, but until we see those guidelines, we won’t know how seriously the government takes that responsibility. The bill doesn’t require any specific privacy-protection methods.
The guidelines must also “protect the confidentiality of [data] containing personal information … to the greatest extent practicable,” but when it starts writing those guidelines, the government can define “the greatest extent practicable” however it wants.
So, how can the government use the cyberthreat data it gets through CISA?
CISA says that indicators can be shared with anyone in the federal government for one of several purposes, some of which trouble privacy advocates because they have nothing to do with cybersecurity.
For example, data from private companies can be shared among government agencies for “the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety.”
There are existing laws governing how the government can prosecute cases of sexual exploitation of a minor or threats to their physical safety. It is unclear how the process would differ under CISA.
Can the NSA get this cyberthreat data?
Data acquired by the U.S. government under CISA can be shared with “any Federal agency or department, component, officer, employee, or agent of the Federal Government.” That includes the NSA, the CIA, the FBI, the U.S. Fish and Wildlife Service—you name it.
And what’s this about “defensive measures”?
CISA authorizes a private company to “operate a defensive measure” on its own system to protect its “rights or property.” A company can also operate defensive measures on the systems of a federal agency or other private company, provided it gets permission from that other entity to do so.
The bill defines “defensive measures” broadly: any technique or technology that “detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability” to a system.
A defensive measure cannot be something that “destroys, renders unusable, or substantially harms” a system not owned by the company itself or by a company or federal agency that has agreed to submit to the defensive measures.
This still gives companies lots of leeway to conduct destructive “defensives measures” on their own systems that could adversely affect their users.
Can I sue a company that hurts me or my data under its CISA authority?
CISA gives companies immunity from lawsuits that arise from them sharing data and conducting defensive measures within the scope of CISA. If they engage in “gross negligence or willful misconduct” while carrying out activities described in CISA, they can be sued. But if they conform to the government guidelines that will be written based on CISA, you can’t sue them—no matter what happens as a result.
Illustration by Jason Reed