The current version of CISA would allow any one of the many federal agencies using the data-sharing portal to override that "scrubbing" process, which is one of the few privacy safeguards in the controversial bill.
The Cybersecurity Information Sharing Act (CISA), which cleared a preliminary hurdle on Thursday, promotes the sharing of cyber threat data between businesses, like Facebook, and the federal government. The bill requires the government to create a process for eliminating sensitive and irrelevant material—like accidentally shared customer information—from data before it is shared with federal agencies.
But the current version of CISA would allow any one of the many federal agencies using the data-sharing portal to override that “scrubbing” process, which is one of the few privacy safeguards in the controversial bill.
National-security journalist Marcy Wheeler noticed that the manager’s amendment to CISA, which updated the bill’s language before today’s vote, contains this language in Section 105 (emphasis added):
(3) REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall--
(A) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 104(c) through the real-time process described in subsection (c) of this section--
(i) are shared in an automated manner with all of the appropriate Federal entities;
(ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls--
(I) agreed upon unanimously by all of the heads of the appropriate Federal entities;
(II) carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and
(III) uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and
The “controls” referenced in (ii) are the processes for scrubbing private or otherwise unnecessary information from data prior to its sharing. The Section 105 language, thus, effectively gives the heads of the Federal Bureau of Investigation, the National Security Agency, and the other participating “Federal entities” veto power over the data-scrubbing process.
Based on this language, FBI Director James Comey or NSA Director Adm. Mike Rogers could refuse to agree to the delay necessary for data scrubbing, thus forcing the data to enter the portal—where any participating agency could access it—in unscrubbed form.
CISA’s opponents have focused their criticism on what they consider insufficient data-scrubbing requirements for the companies sharing the data, but they have said less about the scrubbing that occurs after the data has been sent to the government.
Greg Nojem, senior counsel at the Center for Democracy and Technology and director of its Freedom, Security, and Technology Project, said that requiring any involvement from officials at such a senior level was a recipe for disaster.
“The bill takes what should be an operational decision made by a technician on the ground into a virtual Cabinet-level decision that has to be agreed to unanimously,” Nojem told the Daily Dot. “It won’t happen, and as a result, cyber-threat indicators with unnecessary personal information will be shared routinely.”
The White House, the Department of Homeland Security, and the office of CISA co-sponsor Sen. Richard Burr (R-N.C.), the Intelligence Committee chairman, did not respond to requests for comment about the Section 105 language.
A spokesman for Sen. Dianne Feinstein (D-Calif.), the top Democrat on the Intelligence Committee, acknowledged that Section 105 would let one agency head veto the data-scrubbing process.
“This reflects current operational practice,” the spokesman said in a email, “as federal cybersecurity experts work together to establish standards for how they exchange information.”
Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, called the provision “yet more evidence that Senator Feinstein is misleading the public when she says she fixed privacy concerns in the bill.”
The Senate is expected vote on an amendment from Sen. Chris Coons (D-Del.) to modify this provision during a series of CISA votes next Tuesday afternoon.
Addition to controversial cybersecurity bill, which passed key Senate hurdle on Thursday, would lower barrier for US to pursue foreign nationals for cybercrime
The main aim of the amendment to the Cybersecurity Information Sharing Act (Cisa), which passed a key Senate hurdle on Thursday, is to lower the barrier for prosecuting crimes committed abroad. But the amended law would make it a crime punishable by US prison time not merely to clone the credit card or steal the Netflix password of an American citizen, but to take unauthorized information from any American company, no matter where it happens.
In other words, if a French national hacks a Spanish national’s MasterCard, she could be subject to 10 years in US prison under laws changed by the bill.
The law has already attracted heavy criticism from American privacy advocates. The Electronic Frontier Foundation points out that the computer fraud laws that would be broadened by Cisa were used to prosecute the late founder of Demand Progress, Aaron Swartz, for downloading articles from JSTOR, the digital library of academic journals.
The amendment was proposed by Sheldon Whitehouse, a Democratic senator from Rhode Island. “The White House folks have been pretty clear that that’s what they’re trying to do, ease prosecutions for trafficking when the assets are held abroad,” said Gabe Rottman, legislative counsel and policy advisor for the American Civil Liberties Union (ACLU).
Cisa’s stated purpose is to create a reporting system for private industry allowing any company with a digital record of consumer behavior to send “cyber threat indicators” to the Department of Homeland Security. DHS is then required to pass the information on the FBI and the director of national intelligence, to whom the director of the CIA reports. The DHS has come out against the bill, arguing it could sweep away “important privacy protections”. Cisa is also facing mounting pressure from tech companies, which have called for it to be rewritten or scrapped.
The bill would also block any disclosures, with specific mention of the Freedom of Information Act, about what information had been shared.
Cyber threat indicators and defensive measures provided to the Federal Government under this Act shall be deemed voluntarily shared information and exempt from disclosure under [FOIA] and any State, tribal, or local law requiring disclosure of information or records; and withheld, without discretion, from the public [...] and any State, tribal, or local provision of law requiring disclosure of information or records.
Republican senator Rand Paul of Kentucky introduced an amendment to the bill disallowing it from breaking user agreements between companies and their users. The amendment failed to pass, 32-65.
Republican senator Richard Burr of North Carolina, co-sponsor with California Democrat Dianne Feinstein, said he would not entertain any more amendments to the bill, which is now expected to receive a vote next week.