Industry Sees Cybersecurity Information Sharing Act Draft as Positive Step, Privacy Groups Urge Fixes

Industry stakeholders lauded the emergence of a draft version of CISA, which they generally said helps advance the debate over information sharing amid the 113th Congress’s inability thus far to finish work on any major cybersecurity legislation. CISA is a “step in the right direction” in improving real-time information sharing and addressing antitrust and liability issues that have impeded sharing in the past, said Bob Dix, Juniper Networks vice president-government affairs and critical infrastructure protection. Another industry executive praised CISA’s “explicit permissions for information sharing in certain situations, and also some counter measures in certain situations, such as steps to block viruses.” The bill would also “give companies more legal certainty” about information sharing,” the executive said.

There’s “more work to be done” to revise CISA, Dix said. Senate Intelligence needs to clarify the CISA language focused on informing the regulatory process, which is causing “a little anxiety” among industry stakeholders in terms of the language’s intent, Dix said. Senate Intelligence also needs to clarify CISA’s definition of personally identifiable information (PII), Dix said. There also needs to be more conversation “to ensure we've hit the mark” on liability protections, he said. CTIA Vice President-Government Affairs Jot Carpenter said he believes “the draft isn’t perfect,” but hopes Senate Intelligence will revise it “and get us to the point where it can be married up” with CISPA. USTelecom is also “working on comments to help inform the process,” said Senior Executive Vice President Alan Roth in a statement.

Privacy groups say they believe some of CISA’s privacy protections are an improvement over CISPA, but they're still not sufficient. A CISA provision that requires private-sector entities that share information to strip that information of PII unrelated to cybersecurity is a privacy “advancement” because there was previously no burden on entities to strip out that PII, said Mark Jaycox, an Electronic Frontier Foundation policy analyst. Jaycox said he believes the CISA draft’s circulation unnecessarily reopens the information sharing debate, given that President Barack Obama’s 2013 cybersecurity executive order and industry have been setting up and strengthening information sharing independent of Congress.

The American Civil Liberties Union is concerned CISA could lead to surveillance similar to the controversial NSA programs, whose existence former NSA contractor Edward Snowden began leaking last summer, said Gabe Rottman, a legislative counsel in ACLU’s Washington Legislative Office. “There’s a concern that the information could easily flow from civilian agencies to the military and intelligence community, which raises the specter of unchecked surveillance,” he said. CISA’s language “is vague and gives the government and private entities who share information a significant amount of discretion in doing so,” Rottman said. The bill’s liability protections are also overly broad, which “wouldn’t give us, the public, recourse even in the event of a significant data breach or egregious conduct,” he said.

The revelations about the NSA surveillance programs will likely prompt privacy advocates in Congress to be “doubly certain” to narrowly define any NSA role in cyber information sharing, said Greg Nojeim, Center for Democracy & Technology senior counsel. CISA “does not now do that, so I think it’s not yet ready for prime time,” he said. A CISA provision requiring that cyber information shared with one federal agency be immediately shared with other agencies has the potential to backfire and “discourage the very information sharing the bill is intended to promote,” Nojeim said. Companies that want to assure their European customers that they aren’t sharing information with the NSA wouldn’t be likely to participate in information sharing, he said. CISA also includes a “very broad exception” for state and local law enforcement agencies’ use of the shared cybersecurity information, Nojeim said. “It can be used for any law enforcement purpose, and that creates a risk of turning information sharing into a backdoor wiretap,” he said. CISA represents a “backtrack” from privacy protections included in the failed Cybersecurity Act of 2012, Nojeim said. Senate Intelligence should use that bill’s privacy protections as a baseline for CISA and the build on those protections, he said.

Senate leaders have indicated “it’s going to be a challenge” to get CISA through Senate Intelligence and the Senate in time to negotiate a final bill in conference with the House, Dix said. “But, I'm a ‘glass is half full’ kind of guy, so I will remain optimistic until there’s reason not to be,” he said. The entire timeline for introducing CISA appears to be “very much in flux,” Rottman said. Recent movement of the USA Freedom Act (HR-3361), which cleared the House Judiciary and Intelligence committees last week (CD May 8 p9, May 9 p20), may “shine a spotlight” on information sharing “and people will take a hard look” at CISA, Rottman said. A spokesman for Senate Intelligence Chairwoman Dianne Feinstein, D-Calif., said he had no specific timeline for CISA’s introduction, noting that the committee is “meeting with stakeholders and making progress.”