Cross-posted on The American Prospect
The debate over cybersecurity legislation the Senate will soon consider suffers from a lack of truth in advertising, beginning with the bill’s name: the “Cybersecurity Information Sharing Act.” The legislation would do little to improve cybersecurity, conspicuously lacking the basic measures that security experts agree are necessary. Instead, it drives a hole through existing privacy laws, allowing the government to access private citizens’ personal information without their knowledge or consent—the kind of “information sharing” usually described as “surveillance.”
Leveraging Threats to Expand Powers
CISA is not the first legislation to leverage a security threat in service of intelligence and law enforcement agencies’ continual quest for more leeway. After 9/11, lawmakers and officials portrayed the USA PATRIOT Act as an emergency-response measure designed to give the government the powers it needed to respond to Al Qaeda. In fact, the bill’s provisions were drawn from a wish list of powers the executive branch had long coveted, but had been unable to secure in the absence of a crisis.
Fourteen years later, that crisis finally has begun to recede in Americans’ minds. The desire to have the government protect us at all costs has been replaced by a sense that the government has gone too far. Fueled by Edward Snowden’s disclosures, public support for broad government surveillance has waned. In June, Congress took the first step toward retrenchment when it passed the USA FREEDOM Act, ending the National Security Agency’s (“NSA”) indiscriminate collection of Americans’ phone records.
But law enforcement and intelligence agencies still have a wish list. It’s a wildly ambitious one that could be justified only by a crisis of existential proportions. Enter cybersecurity.
Cybersecurity: the Real Threat, and the Real Solutions
Threats to cybersecurity are the perfect hook on which to hang a bid to expand executive power, because both the nature of the risk and the ways in which it can be mitigated are so poorly understood. Few Americans grasp how the Internet works, but we all recognize our society’s level of dependence on it. It is thus easy to imagine that a cyber attack could be an apocalyptic event. Movies and television shows feed this perception, just as they perpetuate the notion that torture is an acceptable and effective means of intelligence gathering. Fearing the worst and lacking the technological expertise to evaluate solutions, we are willing to give the government whatever powers it says it needs.
In fact, the threat of a cyber attack ushering in a dystopian future is overblown. Consider the oft-repeated warning that a foreign enemy could “take down the grid” and leave the entire nation without power. The systems at issue are sufficiently decentralized, and enough redundancy is built into them, that such an event is highly unlikely. Even a smaller-scale power outage would be difficult for an outsider to bring about.
A far more likely scenario is the large-scale theft of personal data, such as the recent attacks on Target, Sony, and the federal government’s Office of Personnel Management (OPM). To be sure, such events may constitute a personal apocalypse for affected individuals, who may face financial loss, ruined credit, or worse. But they will not bring the nation to its knees.
That said, cyber attacks impose real harms on their victims, and the government unquestionably should take steps to shore up cybersecurity.The most effective cybersecurity measures, by far, implement basic “cyber hygiene”: things like encrypting data, updating software, using multi-factor authentication, and setting strong passwords. There is broad agreement among computer security experts that such techniques would prevent 80 to 90 percent of cyber attacks. Failure to implement good cyber hygiene was at the root of the attacks on OPM, JP Morgan, Home Depot, and Anthem, for example. If Congress is concerned about cybersecurity, it should enact legislation to require or encourage vulnerable entities—starting with federal agencies—to take these simple steps.
Turning Cybersecurity Into Cybersurveillance
Instead, officials and lawmakers are promoting “information-sharing” legislation. CISA authorizes companies to monitor Internet users’ activities to identify potential cybersecurity threats. Companies may then transmit information about perceived threats to any federal agency, and the agency must turn the information over to the Department of Defense and the NSA. The ostensible purpose is to allow the government to take defensive action and/or to warn other companies in order to prevent or contain an attack.
This may sound good, but there is no reason to think it would have prevented any of the known recent attacks. Security experts have expressed skepticism over whether more information flowing from the private sector to the government would be helpful. They note that companies currently share the necessary information with one another, and the government rarely transmits useful information to the companies.
Indeed, the bill could make our data less secure. It would enable the transfer of more personal data to the custody of government agencies that have done a notoriously poor job of protecting their own databases from security breaches. It also authorizes companies to engage in counter-attacks that otherwise would violate federal anti-hacking laws, and could have widespread collateral effects on innocent parties.
But even assuming it would be beneficial for companies to give the government more information about some aspects of cybersecurity threats, the information CISA allows companies to provide goes far beyond the information experts identify as relevant. The bill defines “cybersecurity threat” quite broadly: any unauthorized effort to cause harm to an information system qualifies, regardless of who perpetuates it and whether it has any chance of causing real damage. CISA allows companies to share information necessary to describe any “attribute” of that threat, opening the door to the disclosure of the very customer data that is threatened. Companies may transmit customers’ data without removing personally identifiable information in most instances, even though such information rarely will be needed to understand or respond to the threat.
Perhaps most tellingly, companies may share the information, and the government may use it, for a range of reasons wholly unrelated to cybersecurity—including the investigation of garden-variety crimes like carjacking, robbery, arson, firearms possession, or trade secrets violations.
A Giant Loophole in Federal and State Privacy Laws
A protective shield of privacy laws currently makes it illegal for companies to disclose personal customer data to the government, unless a criminal or foreign intelligence investigation is underway and the government has a sufficient factual basis to obtain the requisite subpoena or court order. These restrictions—some of which have been in place for decades—have long frustrated law enforcement officials, who would prefer free access to the trove of data companies hold.
CISA expressly overrides these protections. Its grant of authority for companies to monitor and share information about their customers’ Internet activity applies “notwithstanding any other law,” thus effectively amending every federal and state privacy law that limits disclosures of such information. True, CISA would notrequire companies to turn over information the government wants. It removes the main obstacle to voluntary disclosure, however, conferring immunity on companies that share information. CISA thus would allow companies and the government to bypass a host of federal privacy laws, and customers would have no ability to sue to enforce them.
It’s not surprising that the government prefers to exploit a little-understood threat to weaken privacy laws, rather than directly attempting to amend them—a task that would be politically messy and, in the post-Snowden era, probably impossible to execute. While these laws are a nuisance to officials, however, they are a critical safeguard for the privacy of law-abiding Americans. And, in the meantime, cyber attacks remain a real problem—one that CISA fails to address. A more forthright conversation about the nature and effect of this legislation would better protect both our privacy and our cybersecurity.