When someone shows up with a bill that promises to help secure America’s online infrastructure, it sounds like something we can all get behind.
First, CISA carves out the sharing of “cyber threat indicators” and “defensive measures” pursuant to this bill from the Freedom of Information Act (FOIA). Though it should be avoided if at all possible, this isn’t terribly unusual — it’s commonly known as a b(3) carveout (that’s FOIA’s exemption designed to allow bills, like this one, to exempt themselves). Although there’s a real question about the appropriate level of transparency for a bill that allows companies to hand over troves of information to the government (the wisdom of that sharing aside), CISA undoubtedly fails to strike the right balance. And that information could include anything that a company might determine is relevant to cybersecurity. In particular, the terms “cyber threat indicator” and “defensive measures” are defined far too broadly in this bill, and in addition to being almost certainly overinclusive, an agency’s withholding of such information is mandatory. Our biggest fear here is that we simply won’t know to what extent information is being shared, and how well companies are keeping our personal information out of it.
Second, in case it wasn’t clear from the above that CISA’s architects wanted it to be immune to FOIA, it also adds a whole new exemption to it — the 10th in total, contained within FOIA. The unintended consequences of this would be enormous. Sunlight’s been knee-deep in FOIA reform for the past year and working to carefully tweak the existing exemptions. Each of the nine current exemptions have enormous case law surrounding them, have been interpreted differently over time, and not a single one applies specifically to only one bill. They describe whole classes of information — trade secrets or national security information — not just “information shared with or provided to the Federal Government pursuant to the Cybersecurity Information Sharing Act of 2015,” like CISA does. That’s bad practice, unpredictable and sets a terrible precedent.
Third, it would give sweeping corporate immunity for companies sharing information under CISA. That means if they overstep and share the wrong information — as this bill seems to intend — the public won’t know, and even if it did, it would have no legal recourse. Meanwhile, the minimal oversight mechanisms within the bill only require reports to be submitted to Congress — not to the public. In other words, CISA guarantees the public will have no ability to see what information is going from companies to the government.
It’s also worth noting, experts don’t have to think it’s worth anything in terms of cybersecurity either.
What CISA would do, it turns out, is require automated sharing with “appropriate Federal entities.” But, straight from the bill, this is what that means:
(3) APPROPRIATE FEDERAL ENTITIES. The term “appropriate Federal entities” means the following:
(A) The Department of Commerce.
(B) The Department of Defense.
(C) The Department of Energy.
(D) The Department of Homeland Security.
(E) The Department of Justice.
(F) The Department of the Treasury.
(G) The Office of the Director of National Intelligence.
Taken together with the rest of the bill, when a company shares information with the government in an attempt to improve cybersecurity, that information will, by mandate, be shared with the Department of Defense (which houses the NSA) and the Department of Justice (which houses the FBI), as well as all the others. As noted above, this bill reeks of unaccountability and opacity — and also of surveillance.
CISA is unacceptable, and we urge all in the Senate to reject it.
Want to get involved? Check out Fight for the Future’s action page here, which will automatically fax your tweets to Congress. They also have a handy FAQ and some other details that may interest you.