As most readers are aware, in the midst of the national turmoil following the bombings in Boston, the House of Representatives passed a version of the Cybersecurity Intelligence Sharing and Protection Act (CISPA) by a vote of 288-127. As I noted earlier, this represents 40 more votes than the bill received in 2012 – a significant improvement. Indeed, more than 90 Democrats voted for the bill, notwithstanding President Obama’s threat to veto the legislation.
Reaction in the Internet space has been fierce and, among those who tweet and blog, almost entirely negative. I’ve seen CISPA called “the law that ate civil liberties” and far worse. Many privacy rights activists such as the group, Anonymous, called for various actions to protest against the law, and a number of websites agreed to block themselves voluntarily. None the less, the best assessment is that this year (unlike last year, when the object of the protest was the SOPA/PIPA legislation) the Internet blackout fizzled. On the other hand, it seems pretty clear from public reports that CISPA, in its current form, is likely dead in the Senate – but that doesn’t mean that the concept is dead, only that many of the concepts are likely to re-emerge from the Senate in some mutated form.
Given how much heat has been caused by CISPA’s passage, I thought I’d take a moment to walk through the House legislation, step by step and assess its likely effects in as balanced and dispassionate a way as I can. For my analysis, I am working off with the engrossed bill, as passed by the House. [For those who prefer a PDF version, here is a link.]
Initial Thoughts – Let me start with the high-level assessment first. I’ve read the bill several times and the best way to characterize it, I think, is that it is somewhat confused. Section 3 of the bill (which I describe in more detail below) is the guts of the initial CISPA as it passed out of the Intelligence Committee. Broadly speaking Section 3 authorizes greater information sharing from the Federal government to the private sector and from the private sector to the Federal government. It comes with liability protections and privacy protections (about which, also, more below) that you can either think are effective or ineffective – but the dominant theme (appropriate for a bill coming out of the intelligence committee) is to think of cyber threat information as intelligence information. Section 3, to make the most obvious point, is styled as an amendment to the National Security Act in Title 50 of the US Code.
On the floor of the House, however, the bill took a sharp turn – represented by Section 2 of the bill. That section (an attempt, obviously, to assuage concerns about the intelligence community’s involvement in the civilian cyber network) layers on top of Section 3, a new superstructure. It requires the President to designate an entity in DHS as the coordinating entity for cyber threat information and another in DOJ as the coordinating entity for cyber crime information received from the private sector. Those entities, in turn, become responsible for further dissemination of the information provided within the Federal government.
If I can characterize it simply, Section 3 envisioned the creation of a web of sharing relationships; Section 2 attempts to restrain that web by creating a “hub and spoke” model centered on DHS/DOJ. I can make arguments for either plan as being more effective. It is harder to argue that it is sensible to try and combine the two ideas in a single bill – in fact, it’s so hard to make that argument that I won’t even try.
The other thought I have at the outset is that the bill has simply gotten much bigger and more complicated. When initially drafted in early 2012 it was a slim 14 pages long. Today’s version is 40 pages. I suppose that is the legislative process in its nature – and it certainly seems that the amendments, additions and reservations have made the bill more palatable. But I have to wonder sometimes. As we shall see, an awful lot of the new text takes the form of “nothing in this bill shall be construed to alter ….” – language which is either meaningless fluff because the original language didn’t alter any particular legal obligation in the first instance, or contradictory since it limits the effect initially intended by other parts of the bill. The bill has, quite literally, 8 pages of such savings clauses scattered throughout. Either way, this strikes me as a particularly poor way to write legislation, but maybe a good way to get votes.
The Details – To begin with, as I have already noted, Section 2 makes it mandatory that the Federal Government “shall” conduct coordinated cybersecurity activities, which are broadly defined as efforts to “protect, prevent, mitigate, respond to, and recover from cyber incidents.
Section 2(b) then designates two coordinating entities – DHS for cyber threat information and DOJ for cyber crime information. The intention is to centralize civilian sharing through these entities. The question is whether or not they were successful.
Sharing with Who? — Some critics of the bill have suggested that cybersecurity providers and self-protected entities (who are the two types of private sector actors authorized to share cybersecurity information with the Federal government) can still share cyber threat information with the NSA if they want – in other words, they contend that the authorization to share with the coordinating entities in DOJ and DHS is permissive and not mandatory.
I think that criticism is probably accurate – but not necessarily important. The law mandates the designation of the two coordinating entities and they “shall [be] designated . . . to receive cyber threat information that is shared” in accordance with the authorization in Section 3(a) of CISPA. That seems to me a direction that the sharing permitted by Section 3 should go through the coordinating entities at DHS/DOJ. And those entities, in turn, are obliged to share with other Federal entities under the procedures that the bill establishes. Because the structure created presupposes using DHS/DOJ as the hub for information sharing, the procedures that come with the designation are, in the end, likely to be more painless and useful than ad hoc sharing with other entities.
On the other hand, as we shall see, the language in Section 3 is much broader. It seems to still permit direct to NSA sharing of information and I am told that both Legislative Counsel and the House Intelligence Committee staff read the language as permissive – i.e. that direct sharing to NSA is still allowed. Even so, given the structures set up, I would think that sharing with the Federal government through DHS/DOJ would be a wiser option for the private sector and if I were the General Counsel of a company that would be my advice.
Still … if the privacy advocates were looking for a complete carve-out of NSA they got, at best, an ambiguous defeat.
Sharing How? — So, how will Section 2 sharing work? The procedures required (by section 2(b)(4) and (b)(5) of the bill) in turn look in two directions and seem muddled. On the one hand, the entities are obliged to share information in “real time” with anyone who needs it. At the same time, however, the coordinating entities, along with DoD and the ODNI are directed to create polices that minimize the “impact on privacy and civil liberties” (one presumes they mean to minimize the adverse impact, rather than, say, the positive impact!); limit the disclosure of information about specific persons unless necessary to protect a network or mitigate a threat; and protect the confidentiality of information shared – all while not delaying or impeding the flow of information. One is entitled to wonder how feasible these contrary requirements are – real-time sharing will likely mean oversharing; limiting disclosures and minimizing impacts means undersharing. So which is it?
Sharing What and to What Effect? – So now let’s turn to Section 3 of the bill – the portion of the bill that actually authorizes information sharing. As I said, it is styled as an amendment to Title 50 by adding a new section(to be 50 USC 1104 – though I don’t know how the code reorganization that Bobby reported on will effect that numbering).
Section 1104(a) requires the DNI to share cyber threat intelligence with the private sector and sets up procedures to allow for the granting of the requisite security clearances. Those receiving classified threat information are enjoined not to share it with anyone else so, in effect, the Federal government retains absolute control over dissemination of cyber intelligence. I am unaware of any objection to wider dissemination of classified cyber threat information – indeed, everyone seems to agree both that we do too little of it and that more would be a good thing.
Section 1104(b) is where, as they say, the rubber of information sharing meets the road of privacy and civil liberties. It begins with an authorization in 1104(b)(1) that “Notwithstanding any other provision of law” cybersecurity providers are authorized to use cybersecurity systems to identify threats and to share threat information with any other entity, including the government and the two DHS/DOJ coordinating entities.
The phrase “Notwithstanding any other provision of law” has generated a great deal of controversy. It is, by its terms, a complete carve-out from every other limitation of law. All privacy rules; all liability provisions; and all transparency and disclosure requirements imposed by other laws are nullified. The limits on this authority are only those contained in the act itself. Privacy and civil liberties advocates object to this broad language.
For my own part, I think the language is essential. It is almost impossible to catalog the panoply of Federal laws that might apply to a decision to share cyber threat information. Some, for example, have imagined the possibility of an antitrust suit against those sharing information. Unlikely, I would think – but the mere threat of liability is enough to dissuade action. And if we add on top of this all potentially contravening State laws (whether privacy protections or simple tort liability) the specter of a suit is daunting. Frankly, in the absence of this “notwithstanding” language nobody will share cyber threat information – and CISPA will be a dead letter. If we think that cybersecurity threat information needs to be shared by the private sector in greater volume (and most cybersecurity experts think it should) then something like this sort of authorization is essential.
What Limitations? – Which brings us, of course, to the real nub. If the limitations, exceptions and rules for sharing are contained only within the text of the bill, then the bill’s content is critical. Here are some of the important limitations (a non-exclusive list):
- No entity can use the cyber threat information to gain a competitive advantage (section 1104(b)(2)(B)) – evidently a response to the antitrust concern, but without any clear enforcement teeth.
- Shared information can only be used by a non-Federal recipient for cybersecurity purposes (section 1104(b)(2)(C))
- If shared with the Federal government, shared cyber information is exempt from FOIA and can’t be used for regulatory purposes (section 1104(b)(2)(d)(i)-(iii)) – clearly essential, since the information would not, otherwise be shared with the Federal government.
- Those sharing information are exempt from liability to the extent they are acting in good faith (section 1104(b)(3)) – as I’ve written before, I think the “good faith” provision is a litigation trap for the unwary and is likely to reduce the incentive to share in the private sector. I certainly understand the contrary argument (who, after all, can approve of “bad faith”?) but in my judgment if we think information sharing is a priority we will need to eliminate litigation ambiguity not create it.
- When the Federal government receives cybersecurity threat information it can use it only for cybersecurity purposes; investigating cyber crimes; protecting individuals from death or serious bodily injury; or to combat child pornography and sexual exploitation (section 1104(c)(1) – As I’ve noted in an earlier post, this is a provision that re-erects the stovepipe purpose limitations that existed on intelligence information sharing prior to 9/11. As such it is retrograde in nature. I’ve been told by some that they can’t imagine how this limitation would actually impinge on effective information sharing. I suppose the argument is that all cybersecurity threat information is, necessarily, a national security threat or a criminal threat. But that argument either proves too much (since it means that there really is no information sharing limitation and its all a sham) or too little (since then the stovepipes really are re-erected). For my own part, I can imagine scenarios that I think would be cyber purposes but not national security – and that the inclusion of child pornography is a perfectly good example of the problems created by re-erecting barriers to sharing.
- There are certain types of information that the government may not use for cybersecurity purposes even if shared with it by a private entity (section 1104(c)(4) – listing library records; medical records; education records; and firearms records among others) – This, too, seems unwise. It is likely merely a good way to draw a roadmap for malevolent actors as to the best ways to manage their intrusions. After all, do we think that educational institutions (like our research universities) are immune from attack? Or that none of them are vulnerable to malware intrusions hidden inside educational records? I understand the theoretical concern but it seems that the practical nature of the cyber surely outweighs the theoretical concern about a privacy invasion. If we have such a concern, oversight and auditing rather than prohibition would be a better answer.
- The bill creates a cause of action against the Federal government for the intentional or willful misuse of data shared with it. The cause of action comes with a liquidated damages provision ($1000 for each violation) and an attorney fee provision (section 1104(d)). Clearly the tort bar had its influence here – this strikes me as ill-considered, but then I am generally opposed to fee-shifting statutes and liquidated damages as economically unwise in most circumstances. One thing is certain – Federal managers will be incentivized to be cautious in their sharing because of this provision, which, again, seems to be sending a message that contradicts the underlying theory of the bill that cyber threat information sharing is essential.
- Finally (for now, at least) the bill retains an exceedingly problematic sunset provision in Section 4. By its terms the entire amendment to Section 1104 is repealed 5 years after enactment. I have no objection, in principle, to a sunset provision. But this one is exceedingly inartful. Since it repeals the entire set of amendments it will repeal, both the authorization to share; the liability limitations; and the other exemptions. No provision is made – none at all – for how that repeal will apply to information that has been lawfully shared prior to the sunset taking effect. One hopes that the courts would construe the repeal as effective from the date of appeal without retroactive effect, but that is by no means an certainty. We might, for example, imagine that post-repeal liability would arise for pre-repeal activity or that the government would feel obliged to treat information shared with it as subject to FOIA because the exclusion had been repealed. Surely someone can at least resolve this ambiguity going forward.
Well, that’s it – an all-too-lengthy assessment of a bill that is unlikely to become law. The bottom line is that the bill has morphed significantly from when it was introduced and has become an indistinct and muddled product that often looks in two directions at the same time. Is it the “threat to liberty” that some see it as? Absolutely not. Is it a panacea to cure cybersecurity information sharing problems? Again, no. It is, in the end, what a legislative process gives us – and a reminder of why sausage making is so unappealing to observe.