When the U.S. Senate returns in September, one of its priorities will be to pass so-called “cybersecurity” legislation, namely the Cybersecurity Information Sharing Act. The deficiencies in the bill, including its failure to meaningfully protect individuals’ personal information and its overbroad legal immunity for companies, have been fairly well documented. While proponents of the bill have tried to mute the conversation, they have not been able to point to a single recent data breach that CISA could have prevented. However, one part of the bill that hasn’t received enough attention has to do with how it will force companies to interact with the government.
CISA creates what lawmakers are calling a voluntary program. It allows companies to choose to send certain swaths of information, which may include very personal information about users, to the government. This information is supposed to help the government prepare for and respond to certain cybersecurity threats, particularly the perennially worrisome “advanced persistent threat.” Companies may choose to share information with any number of government agencies, including military agencies, but will receive a bonus reward in the form of protection against any legal liability if that information is shared directly to the Department of Homeland Security (which is then required to transmit the information in real time to agencies like the NSA anyway).
Separately, CISA allows the government to transmit information back to “relevant entities,” a term that remains undefined throughout the bill. These entities are intended to be defined only if and when the bill becomes law through an agency process, which is directed to “incorporate, to the greatest extent practicable, existing processes and existing roles and responsibilities of Federal and non-Federal entities for information sharing by the Federal Government.”
It is instructive here to look at how the government has handled “cybersecurity” information dissemination in other contexts. For example, the Department of Homeland Security maintained an “information sharing” program specifically for defense contractors (the program was eventually expanded and rolled into DHS’s EINSTEIN programs). The program also loudly advertised itself as “voluntary” — no company was compelled to participate. However, key parts of documents obtained and released to the Electronic Privacy Information Center pursuant to the Freedom of Information Act reveal a different story. (Our thanks to EPIC for their great open government work.)
In order to receive information as part of the program, entities were required to sign contracts as program “participants.” This would not have been so bad, except that a precondition for being a participant was the requirement that the entity file reports with the government on a regular basis. In fact, the Defense Industrial Base Pilot Cybersecurity Plan definitively showed that participants were required to agree to transfer information about their private network traffic to the government.
Nothing in the letter or spirit of CISA (or its brethren of bad surveillance laws masquerading as cybersecurity legislation) would prevent DHS from establishing a similar compulsory process, all while trumpeting the “voluntary” nature of the program. In fact, the “cyber threat information” that the government would be allowed to share with participating companies under the bill may, and foreseeably will, provide so much of a competitive advantage — the advantage of being “in the know” — that companies will be forced to participate simply to keep up with their participating competitors. Not to comply might actually harm their corporate interests and put their customers at risk. A world where a company is forced to betray its users in order to protect them is backward indeed.
Access calls upon all companies to outright oppose CISA and the other “cybersecurity” bills that have been introduced in this Congress. They all strike a deal that sacrifices people’s privacy and security at the altar of corporate liability protection. Instead, these companies should publicly pledge not to participate in any government-run information sharing program that does not provide adequate privacy protections for users, including a right to remedy and provisions for transparency and accountability. In the meantime, Congress should be focusing on passing cybersecurity legislation that would actually assist companies in enhancing their digital security efforts, not in harming users’ privacy.
