Article by Kurt Opsahl and Rainey Reitman
The Senate is moving quickly to take up the issue of cybersecurity, with a potential vote looming in early June.
This is a particularly dangerous situation because the Cyber Intelligence Sharing and Protection Act (CISPA) already passed the House, authorizing companies to spy on sensitive user content and pass that data to the government with few restrictions.
Under CISPA, the government can use the information is receives for vaguely-defined “national security” purposes or share it with intelligence agencies like the NSA.
There are several bills pending in the Senate. The first one to come up is the Cyber Security Act (Lieberman-Collins). The bill is well over a hundred pages long and includes many components other than sections about sharing data with the government.
Here’s a guide to help you understand the information sharing sections of the bill, the civil liberties concerns, and how you can speak out.
Will Internet companies be able to intercept and read my email?
Under the bill, the provisions for “monitoring” are very broad. Companies (“any private entity”) are granted “affirmative authority” to “monitor information systems” and “information that is stored on, processed by, or transiting the information systems” for cybersecurity threats. A company could also monitor someone else’s network if it has been granted authority to do so, for example an outside consulting firm hired to help with network security.
The companies in question include both online service providers like Google or Facebook, as well as Internet Service Providers (ISPs) like Comcast. When you use a web-based service like Google, your communications pass through lots of intermediaries. Under the bill, it is not only Google that can monitor your traffic, but also any intermediary.
Under this bill, how are “cybersecurity threats” defined?
A cybersecurity threat, under the Cyber Security Act, is defined as “any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information that is stored on, processed by, or transiting an information system.”
But the definition of cybersecurity threat indicator in the bill is much more important, since this determines the actual information that can be shared with the government.
How are “cybersecurity threat indicators” defined?
Cybersecurity threat indicators are the types of data that a company can share with the government (via a “cybersecurity exchange,” see below). The bill defines a “cybersecurity threat indicator” as information that indicates or describes one or more of eight things:
- “Malicious reconnaissance” which the bill defines as including “anomalous patterns of communication that reasonably appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat”
- A method of defeating a technical control
- A technical vulnerability
- A method of defeating an operational control
- A method of causing a user with legitimate access to an information system of information to “unwittingly” enable the defeat of a technical or operational control
- Malicious cyber command and control
- Actual or potential harm caused by an incident, including data exfiltrated as a result of subverting a technical control if it is necessary in order to identify or describe a cybersecurity threat
- “Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law”
The last one– “any other attribute” – is very broad indeed! This type of language is dangerously vague, giving companies lots of wiggle room to make creative arguments.
However, there’s also one very important privacy protection to how the bill defines “cybersecurity threat indicators” – it insists that “reasonable efforts” must be made to “remove information that can be used to identify specific persons unrelated to the cybersecurity threat.”
In addition to monitoring, what else can companies do?
The act also allows companies to deploy "countermeasures" to protect a given network. Countermeasures include the ability to modify or filter Internet traffic. Even if you are an innocent user, if companies think you are engaging in a cyberthreat, they could filter or modify your Internet traffic.
What are countermeasures and how would they work?
The term “countermeasures” refers to actions to “modify or block data packets” associated with online communications, so long as it is done “with defensive intent” for the purposes of protecting information systems from cybersecurity threats.
Under the Cyber Security Act, private entities are granted “affirmative authority” to operate countermeasures on their own information systems to “protect the information systems and the information that is stored on, processed by or transiting the information system.” Companies can also operate countermeasures on third party networks, if the third party grants them lawful access.
How are “countermeasures” different from ordinary behavior already in widespread use by ISPs and companies to protect their networks?
The limits on the “countermeasures” allowed under this bill have not been established.
If this bill passes, it could take judicial interpretation to establish those limits -- but only if cases make it to court.
Companies already use firewalls to protect their networks. ISPs do filtering as well, for example disallowing end users from hosting certain services, or de-prioritizing certain types of traffic. But this bill makes no effort to restrict the definition of countermeasures to reasonable techniques in use today.
Does this bill create new exemptions to the Freedom of Information Act?
Yes. Under the Cyber Security Act, any cybersecurity threat indicator disclosed by a non-Federal entity (like a company) to a cybersecurity exchange is exempt from disclosure. A recent letter organized by OpentheGovernment.org and signed by dozens of civil liberties advocacy organizations criticized both the SECURE IT Act and the Cyber Security Act, stating:
“Unnecessarily wide-ranging exemptions [to FOIA] of this type have the potential to harm public safety and the national defense more than they enhance those interests; the public is unable to assess whether the government is adequately combating cybersecurity threats and, therefore, unable to assess whether or how to participate in that process, and to hold officials accountable.”
Under the Cybersecurity Act, if a company improperly hands over my information to the government, do I have an effective remedy?
Probably not. This legislation holds a very high standard for holding companies accountable through civil action. Assuming that you know about the privacy invasion in the first place, you would need to prove that the company:
- Was not monitoring for the purpose of detecting cybersecurity threats and
- Did not have a "good faith" belief that they were allowed to do it (whether they are right or wrong); or
- "Knowingly" and "willfully" violated the restrictions of the law
What is a “cybersecurity exchange” and how would it work?
The Cyber Security Act would set up “cybersecurity exchanges” to receive and distribute cybersecurity threat indicators. There would be one Lead Federal Cybersecurity Exchange, appointed by the Department of Homeland Security, but other ones might also be created. Existing federal agencies can be designated as cybersecurity exchanges, including military and intelligence agencies like the National Security Agency. The Department of Homeland Security could appoint itself as the Lead Federal Cybersecurity Exchange.
There is considerable debate in Washington over whether the lead agency should be the civilian DHS or the military (i.e. the NSA). The bill punts on this question, but gives the edge to DHS for future bureaucratic fights.
Will the new “cybersecurity exchange” create new bureaucracies?
Of course. The Cyber Security Act’s extensive discussion of the creation of a federal exchange and potential civilian exchange involves coordination between an alphabet soup of agencies, including DHS, DOJ, ODNI, DOD and DOS. They have to make a lead exchange, consider others, consult with each other, and report to Congress.
The Cyber Security Act attempts to diffuse this the easy way: “Nothing in this section may be construed to authorize additional layers of Federal bureaucracy for the receipt and disclosure of cybersecurity threat indicators.” At most, this will prevent people from calling the new layers of bureaucracy what they really are.
What safeguards are in place to ensure that this legislation won’t be used as a method of sharing data with the National Security Agency?
There are no provisions in the Cyber Security Act that would ensure this bill could not be used to funnel information to the National Security Agency. In fact, the National Security Agency could be designated as a “cybersecurity exchange” and receive great quantities of sensitive user information.
The ACLU has joined EFF in strongly criticizing a bill that allows the NSA to receive cybersecurity data, stating: “It is a long held American value that the military is not permitted to spy on Americans and their communications. Authorizing the NSA to turn its powerful spying apparatus on Americans would pose a significant threat to Americans’ privacy and would represent a major departure from American values about the role of the military on US soil.”
Can cyber security threat indicators collected under this legislation be used for other, unrelated purposes?
Yes. The data collected under the Cyber Security Act can be shared with law enforcement if it “appears to relate to a crime” either past, present, or near future.
Senator Wyden, talking about a similar provision in CISPA, noted “They would allow law enforcement to look for evidence of future crimes, opening the door to a dystopian world where law enforcement evaluates your Internet activity for the potential that you might commit a crime.” The CSA suffers the same ‘future crime’ flaw.
Whoa! Sharing what “appears to relate to a crime” is crazily broad, and surely will impinge on civil liberties. Does the Cyber Security Act throw me a bone, with some sort of vague promise to maybe think about civil liberties in the future?
Sure. Recognizing that the provision for sharing with law enforcement could impact privacy and civil liberties, the Cyber Security Act attempts to diffuse criticism by forming a committee to write “policies and procedures” at some future date that are supposed to “minimize the impact.”
It also provides that the Privacy and Civil Liberties Oversight Board will look over the situation. Unfortunately, there currently are no members of this board, and have not been since 2007. Our civil liberties are too important to just have faith that future regulations will solve all the problems or to have oversight by a non-staffed board.
If the Cyber Security Act passes the Senate, will we have a chance to fight it in the House?
Unfortunately, the House of Representatives has already passed a cybersecurity bill (CISPA). CISPA includes few privacy safeguards, allowing companies to spy on Internet communications and pass sensitive user content to the government. This means that if any cybersecurity bill passes the Senate – even one that has privacy protections – it will be conferenced with the House version of CISPA.
The conferencing process is a backroom negotiations in which there’s a lot of compromising – and House backers of CISPA could well seek to remove any privacy protections we might put in place in a Senate bill. The conferencing process would almost undoubtedly be bad news for online civil liberties.
There are amendments pending on this bill. Will it get better or worse for civil liberties?
That’s a hard question. In early May, according to the Hill blog, Senate leadership was reportedly “quietly revamping cybersecurity legislation in an attempt to pick up Republican votes.” This could mean any number of things – including the possibility that the legislation will be adjusted to remove regulatory aspects or reduce the existing privacy protections for Internet users. It’s also possible amendments could be presented that would add in safeguards for privacy.
Right now, all of the amendments –whether good or bad for Internet rights – are being negotiated behind closed door, away from public discussion and accountability. This means Internet users are being kept largely in the dark until most of the negotiations are over.
We encourage individuals to use our action center to speak out; tell Congress not to sacrifice civil liberties in a rush to pass cybersecurity debate. Hearing from constituents is the best way to ensure privacy rights stay front and center in this debate.
How can I speak out against this bill?
We urge Internet users to contact Congress and tell them to support privacy-protective amendments and oppose the cybersecurity bills. You can use our action center to send an email or call your Senator.
Cross-posted from Electronic Frontier Foundation