A close look at CISPA

You may remember that about three months ago, the internet erupted in an uproar over two copyright protection bills, SOPA and PIPA, which were working their way through the House of Representatives and the Senate, respectively. Now there is another bill, the Cyber Intelligence Sharing and Protection Act (CISPA), which has many of the same people concerned. Indeed, a lot of privacy advocates are warning that CISPA is even worse than SOPA and PIPA. But other people are saying that it’s nowhere near as bad. One way or another, there seems to be a lot of misinformation floating around about this bill, so just as I did with PIPA, I thought it would be useful to go straight to the source and see what CISPA is really about.

As usual, this post comes with the standard disclaimer that I am not a lawyer and this is not legal advice. I make no guarantees about the correctness of this information. If you’re concerned about specific effects that CISPA could have on you personally, check with a lawyer.

Now then, to the source. The text of the bill itself can be found on the Library of Congress website as House Resolution 3523. It consists of an addition to title 50 of the United States Code, which deals with national security. The proposed addition starts out as follows:

Sec. 1104. (a) Intelligence Community Sharing of Cyber Threat Intelligence With Private Sector--

(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.

But let’s hold on a minute. The capacity for information sharing that CISPA introduces comes with restrictions, which are spelled out by the next paragraph of the bill.

(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE- The procedures established under paragraph (1) shall provide that classified cyber threat intelligence may only be--

(A) shared by an element of the intelligence community with--

(i) certified entities; or

(ii) a person with an appropriate security clearance to receive such cyber threat intelligence;

(B) shared consistent with the need to protect the national security of the United States; and

(C) used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure.

A “certified entity” is defined in subsection (g) of the bill as follows:

(1) CERTIFIED ENTITY- The term certified entity' means a protected entity, self-protected entity, or cybersecurity provider that--

(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence; and

(B) is able to demonstrate to the Director of National Intelligence that such provider or such entity can appropriately protect classified cyber threat intelligence.

and in turn, “protected entity,” “self-protected entity,” and “cybersecurity provider,” and the related term “cybersecurity purpose,” are defined as

(4) CYBERSECURITY PROVIDER- The term cybersecurity provider' means a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.

(5) CYBERSECURITY PURPOSE- The term cybersecurity purpose' means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from--

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

(7) PROTECTED ENTITY- The term protected entity' means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

(8) SELF-PROTECTED ENTITY- The term `self-protected entity' means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.'

OK, soo… if I’m getting this right, certified entities are basically businesses or organizations that either produce or use (or both) computer security technology, and either have or are eligible for a certain level of security clearance, and which confirm that they are capable of protecting whatever information they receive from unauthorized use. Sure, simply being capable of obtaining a security clearance, and being capable of protecting information, is not saying much. That’s where subparagraph (C) comes in; it actually requires these certified entities to protect the information they’re given. In essence, the bill is setting up the framework to ensure that, once privileged information leaves the intelligence community, it doesn’t go any further.

Now, what sort of information gets out in the first place? That is loosely addressed by subparagraph (B), which says that the government can only share information as necessary to protect national security. There are a couple of problems I have with this statement, though. First of all, it’s really vague on what exactly is necessary to protect national security. I understand that intelligence services need to have flexible tools to deal with problems that they haven’t anticipated, and it would hinder their work to specify a complete list of circumstances under which information could be shared outside the government, but I really feel like some restrictions could be put in place here — for example, sharing information might only be allowed

1. when necessary to get access to additional information for which the private entity is the only source, or
2. when necessary to facilitate the cooperation of the private entity in an ongoing investigation; and
3. in the face of an imminent threat to national security such that the delay required to go through legal proceedings in a court (i.e. getting a warrant) could lead to property damage or loss of life.

It might be necessary to create some additional procedure by which a court could approve a request to share information with the private sector, since warrants are usually used to take things, not to give them out (as far as I know), but certainly that could be part of the bill as well. Honestly, I’m not sure exactly what sorts of situations prompted this bill to be written, and so I’m not sure what sorts of restrictions would be appropriate. But if history is any indication, intelligence agencies will try pretty hard to pass all sorts of things off as being required in the name of national security, and the current wording gives them free reign to do just that. And as with any organization, there are almost certainly going to be a few people in the intelligence community who would abuse that power.

The other thing that bothers me about this is that there is no accountability for what information gets shared and why it had to be shared. Later on in the bill, subsection (d) specifically, there is a provision that specifies that any sharing of information with the federal government under this act must be described in an annual report to Congress. But it says nothing about information shared by the federal government.

(d) Report on Information Sharing--

(1) REPORT- The Inspector General of the Intelligence Community shall annually submit to the congressional intelligence committees a report containing a review of the use of information shared with the Federal Government under this section, including--

(A) a review of the use by the Federal Government of such information for a purpose other than a cybersecurity purpose;

(B) a review of the type of information shared with the Federal Government under this section;

(C) a review of the actions taken by the Federal Government based on such information;

(D) appropriate metrics to determine the impact of the sharing of such information with the Federal Government on privacy and civil liberties, if any; and

(E) any recommendations of the Inspector General for improvements or modifications to the authorities under this section.

(2) FORM- Each report required under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

I for one would feel much better knowing that if somebody is abusing the ability to share classified information, there is at least a framework set up for that to be reported to a higher authority. (Not that I really trust Congress, but like it or not, it is their job to oversee intelligence activities.)

Whew. OK. Let’s move on to the next part of the bill, subsections (b) and (c), which deal with the reverse process, namely when private-sector entities share information with federal intelligence services.

(b) Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information-

(1) IN GENERAL-

(A) CYBERSECURITY PROVIDERS- Notwithstanding any other provision of law, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity; and

(ii) share such cyber threat information with any other entity designated by such protected entity, including, if specifically designated, the Federal Government.

(B) SELF-PROTECTED ENTITIES- Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes--

(i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and

(ii) share such cyber threat information with any other entity, including the Federal Government.

This part seems straightforward enough; it’s basically saying that a technology security company can share with the government (or anyone else) information about threats to its systems or its clients’ resources, with the explicit permission of the client, when doing so is necessary for the company to do its job of protecting the client.

(2) USE AND PROTECTION OF INFORMATION- Cyber threat information shared in accordance with paragraph (1)--

(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing, including appropriate anonymization or minimization of such information;

(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information; and

(C) if shared with the Federal Government--

(i) shall be exempt from disclosure under section 552 of title 5, United States Code;

(ii) shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information; and

(iii) shall not be used by the Federal Government for regulatory purposes.

And this part specifies conditions on when and how that information can be shared: basically that it has to be done in accordance with the company’s own privacy policy, and that it can’t be used for inappropriate purposes (though I’m not positive that “can’t be used for competitive advantage” really covers all the inappropriate purposes one could come up with). It also says that information shared with the government is exempt from Freedom of Information Act requests, which is a pretty necessary stipulation, so it’s good to see that that was included.

(3) EXEMPTION FROM LIABILITY- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--

(A) for using cybersecurity systems or sharing information in accordance with this section; or

(B) for not acting on information obtained or shared in accordance with this section.

This paragraph is an interesting inclusion mostly because of the second item, which provides immunity from prosecution for declining to use any of this cybersecurity information. I like this clause because it means that, if you’re ever not sure about the legal status of some information shared pursuant to this act, the safe “default” course of action is to just leave it alone, and that way there will be no legal consequences. This is much better than the alternative of providing immunity from prosecution for people who believed they were acting in compliance with CISPA but who actually weren’t.

There is one thing I don’t get about this subsection, though. Why is it even necessary? After all, most companies already have privacy policies, and most of those already say that they may share information with the government in accordance with a court order or when necessary to protect their business, in some cases even without explicit approval by the client. Now, granted, this is coming from the perspective of an individual, and subsection (b) does not apply to individuals (it talks about “protected entities,” which are organizations, not people). But I would imagine that businesses have similar agreements in place when they deal with each other. So everything that this piece of CISPA allows was already perfectly legal? Maybe it just needed to be explicit, but I just don’t see the point.

There’s one more piece of the bill that I want to look at, and that is subsection (c), which governs how the federal government (in particular, the intelligence community) may use any information it receives from private-sector entities.

(c) Federal Government Use of Information-

(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b) for any lawful purpose only if--

(A) the use of such information is not for a regulatory purpose; and

(B) at least one significant purpose of the use of such information is--

(i) a cybersecurity purpose; or

(ii) the protection of the national security of the United States.

OK, so they can’t use it to influence policymaking, or at least that’s what I assume “not for a regulatory purpose” is supposed to mean. But would it be so hard to just prohibit using this information for any purpose other than protecting national security? I feel like that would be a lot cleaner, and it closes the loophole of someone thinking up a wacky way to use shared information that is not regulatory but not intelligence-related either.

(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--

(A) require a private-sector entity to share information with the Federal Government; or

(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

This final piece (that I’m going to talk about) says that the bill does not give the government the authority to demand information from a private company, at least not in any way that isn’t already permitted by existing laws (namely, with a search warrant). It’s definitely a good thing to make clear that intelligence agencies are still not allowed to bypass the judicial process; CISPA does not enable warrantless wiretapping and the like.

So where does that leave us? Well, there are a lot of people saying CISPA is worse than SOPA and PIPA. I do not agree. The thing that particularly bothered me about the PROTECT-IP Act was that it allowed the government to take highly restrictive actions against website operators without going through the judicial process to determine whether those website operators had actually done anything wrong. It tinkered with the “innocent until proven guilty” mantra that our justice system is (supposed to be) based on. CISPA does not. In fact, as I pointed out above, there are a couple of clauses inserted which effectively prevent the intelligence community from escaping judicial oversight (any more than they already do).

On the other hand, CISPA does enable some channels for information sharing which, in my opinion, are not sufficiently regulated and monitored. If Wikipedia is to be believed, the bill’s sponsors are considering another round of changes that may help close some of the loopholes I’ve identified, but that’s still tentative; besides, if you’re the type of person who is a little more concerned about privacy than I am, then the idea of this information sharing in any form probably seems pretty bad. I’ll probably be contacting my representatives about this, and whatever your opinion about it, I encourage you to do the same!