Thoughts on CISA 2015 / CDT Filing

A blog post from March 4, 2015

The Center for Democracy and Technology (CDT) recently released a discussion of issues with a draft Senate Bill, called Cybersecurity Information Sharing Act of 2015 (CISA). I agree with much of CDT’s analysis. However, I disagree with some of their analysis, and some of their conclusions.

First of all, I would like to praise what the bill gets right. Specifically, Section 4(d)(2) puts the onus of removing or obfuscating personally identifiable information (PII) on the entity sharing the threat indicator. Given that most threat indicators do not include PII, this is not an undue burden. In the unlikely event there is PII, making the sharing entity liable for leaking the PII is a sensible step.

I disagree with CDT’s characterization of the bill’s “hack back” stipulations. The bill is very explicit that the only time a first entity can apply a countermeasure to a second entity’s system is if the first entity has explicit, written permission from the second entity. Any of the “hack back” scenarios posited by CDT would be illegal under the bill. I applaud that provision. Under no circumstances should a private entity be allowed to “hack back” or perform other acts of vigilantism.

Because there should be no PII in the shared information, many of the privacy concerns about sharing indicators beyond the Department of Homeland Security (DHS) are a bit out of proportion with the threat to civil liberties. The bill’s explicit liability for the sharing entity to remove PII should be sufficient to keep the shared information to cyber threat indicators, such as an IP address, malware signature, traffic signature, domain name, etc. As a cyber threat signature, it would not make sense for the DHS to withhold information from the NSA’s Information Assurance Directorate. One would expect that information sharing augments DHS’ mission to protect civilian networks. Likewise, there is no sensible reason to argue that NSA should not have access to the same cyber threat intelligence to protect DoD’s networks.

That said, Section 5(d)(5)(A)(iii) – 5(d)(5)(A)(vi) serves no useful purpose. First, cyber threat intelligence should not have any information to indicate imminent threat of death or serious bodily harm (iii), information about a terrorist act (iv), or child pornography (v). If an enterprise has access to such information, there are already laws available to allow them to share such information with the FBI or other appropriate authorities. Second, and most importantly, given the first issue, retaining such language in the bill would be tantamount to the Senate saying that this bill has nothing to do with cyber security, everything to do with heretofore illegal surveillance, and CDT has it right. I trust the Senate does want to work on cyber security, and as such, this section needs to go.

Unremarked by CDT is Section 4(d)(4)(A)(ii) on oral consent. Recall this whole bill is about cyber. In the age of cyber, offering that one cannot get facsimile, email, or other written consent is in a reasonable time period is not a credible argument. The potential for abuse, where authorities compel a provider to hand over information and then later cover their tracks saying they had oral consent, is too high. Such a clause will mire the bill in what would be righteous indignation on the part of people concerned about civil liberties and the practical rule of law.