Written byGreg Otto
As the Senate nears a Tuesday vote on the Cybersecurity Information Sharing Act, privacy advocates are calling for the passage of several amendments that they say will better safeguard against the misuse of personally identifiable information and other forms of government overreach.
Several proposed amendments will be considered Tuesday as CISA goes to a full vote. The bill, which has sputtered and stalled on Capitol Hill numerous times this year, looks to give liability protection to private companies that are sharing cyber threat information with the federal government. However, the amendments added to the bill look to limit what agencies have access to, along with how much PII gets passed along.
Here is what each amendment looks to accomplish if it passes Tuesday:
Sen. Ron Wyden, D-Ore., is attempting to protect PII by inserting language that makes companies remove it “to the extent feasible” given it doesn’t help provide information about a threat. The default language in the bill gives companies some leeway, only requiring them to remove PII if they know the information is a “direct threat.”
Wyden has fought for PII safeguards since the bill was introduced.
“At the same time that the bill creates a new way to collect Americans’ information without a warrant, the bill also gives corporations blanket immunity for providing information to the federal government, and would prohibit that data from being used to police those corporations,” Wyden said in June. “I do not agree that corporations’ privacy is more important than individuals’ privacy. And I do not agree that the best way to improve cybersecurity is to make it harder for individuals to sue these corporations.”
A similar amendment will be considered if the Wyden amendment fails, which will put the onus on the Department of Homeland Security to remove PII if it doesn’t look to be related to cyberthreats. Groups like the Center for Democracy and Technology and New America’s Open Technology Institute are lukewarm on the amendment, saying it still compromises privacy by allowing private companies to wash their hands of guarding PII.
The Heller Amendment “strengthens the requirement to remove PII, but only for federal entities and therefore is only half a fix, writes CDT’s Greg Nojeim. “Damage to privacy is done when a company needlessly shares its users’ PII with the federal government.”
Ryan Stolte, co-founder and chief technology of San Francisco-based cybersecurity company Bay Dynamics, said trusting DHS to follow through on this amendment is going to take a leap of faith.
“As we have seen from the attack against the Office of Personnel Management, it’s tough to put our 100 percent trust in the government when it comes to how they are preventing our most valuable information from getting into the wrong hands,” Stolte said. “Under CISA, we will be sharing information with them and how are we supposed to know that information is being protected?”
A third amendment related to PII, submitted by Sen. Chris Coons, D-Del., adds additional safeguards on top of having DHS scrub personal information out of anything considered a threat. While the initial bill calls for DHS to submit threats to other agencies like the National Security Agency and the FBI in real time, the Coons amendment changes that language to “as quickly as operationally possible,” which gives DHS leeway to remove PII. The amendment also calls for the attorney general to establish a standard that would determine what types of PII are removed from threats, something not established in the Heller Amendment.
Co-sponsored by Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., this amendment looks to assuage other privacy concerns. The amendment calls for information from private companies to only be used for cybersecurity purposes, prevents information from being used in law enforcement investigations related to violent felonies, and gives federal agencies the ability to remove PII mistakenly included by private entities.
Sen. Al Franken, D-Minn., has two amendments attached to CISA. The one he is solely responsible for tightens the definition of cybersecurity threats and threat indicators, making companies establish the shared information as “reasonably likely to” (instead of “may”) cause damage to their networks.
The second, co-sponsored with Sen. Jeff Flake, R-Ariz., would attach a six-year sunset clause to the bill, as well as liability protection to companies that share information prior to the expiration of the bill.
Sen. Tom Cotton, R-Ark., is looking to expand the amount of agencies private entities can share information with, including the FBI and the Secret Service. Unlike the prior amendments, privacy groups have railed against this amendment in its entirety, due to the fact that it undermines DHS’s responsibilities as the lead agency for civilian cybersecurity.
Sen. Patrick Leahy, D-Vt., has also placed an amendment into the bill that would remove Freedom of Information Act exemptions for shared information, but most of the information shared between companies and the federal government would be protected under other FOIA protections due to it being considered proprietary information.
Privacy groups like CDT and New America are in favor of a majority of the amendments, except for Cotton’s.
“Extending the ability to share CTIs with the FBI and Secret Service would undermine the DHS cybersecurity mission by encouraging companies to share CTIs with entities other than DHS, the lead agency in civilian cybersecurity,” CDT’s Nojeim writes. “DHS has cautioned that allowing companies to share CTIs with any agency they choose would complicate the information sharing program and undermine its ability to protect the privacy of the Internet users whose communications data would be shared.”
The bill has been widely criticized by tech companies, who have either come out on their own or through a trade group to say they do not support the bill. Over 70 academics, security researchers and nonprofits issued a letter against the bill, saying it fails to protect users’ information while giving the government another avenue for surveillance.
Bay Dynamics’ Stolte also said the bill fails in giving companies the ability to monitor and share security information with third-party vendors.
“The lack of communication and visibility between organizations and the third-party vendors they hire has led to numerous breaches and a government-backed framework may help close that gap,” he said. “What if the Office of Personnel Management was able to determine that something suspicious was happening from a KeyPoint Government Solutions account early on? Under what framework do they communicate back to KeyPoint Government Solutions about that suspicious activity and the users behind it? CISA should create that framework and give companies coverage without being penalized.”
Last week, the White House came out in support of the bill, but said it will “strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal.”
“The administration remains concerned that the bill’s authorization to share with any federal entity, notwithstanding any other provision of law, weakens the bill’s requirement that information be shared with a civilian entity,” the statement read. “This remains a significant concern, and the administration is eager to work with the Congress to seek a workable solution.”