Senate passes Cybersecurity Information Sharing Act

S. 754 — Cybersecurity Information Sharing Act of 2015 d - d 

The text of the bill is available here, and has been summarized by GovTrack.us.

On October 27, 2015, the Senate passed the Cybersecurity Information Sharing Act (CISA) of 2015. CISA enables companies to share cyber threat indicators with each other and the federal government, and immunizes companies from liability for sharing under the act. The bill was originally introduced by Senator Richard Burr (R-NC), Chairman of the Senate Select Committee on Intelligence, on March 17, 2015, and was also sponsored by Senator Dianne Feinstein (D-CA). The Intelligence Committee voted 14 to 1 to report the bill favorably, S. Rep. 114-32 (2015). Prior to its passage, the Senate rejected a number of proposed amendments that would have limited its scope. The act now heads to conference to be reconciled with the Protecting Cyber Networks Act, H.R. 1560, which the House passed on April 22, 2015.

According to the Intelligence Committee report, the purpose of the legislation is to protect private companies, critical infrastructure, and government systems from hostile cyberattacks by facilitating a “voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyber threat information, removing legal barriers and the threat of unnecessary litigation.” S. Rep. 114-32 at 2.

This legislation directs the Department of Homeland Security (DHS) to operate as an entry point for entities to share “cyber threat indicators” with the federal government and to disseminate shared indicators with other agencies through an automated, real-time process. It also enables companies to share information with each other, and establishes reporting requirements for agencies that are involved in the information sharing. Controversially, CISA also provides liability protection, immunizing entities that share cybersecurity information with each other or the government.

A summary of the history surrounding the Senate bill is available at Congress.gov, including several failed amendments. CNN calls CISA a “historic” bill, quoting a former NSA employee who said that CISA “doesn’t do anything except help . . . defend our companies better,” but notes that “tech companies were suspicious of the bill.” The Guardian and Wired provide further commentary.

Commentators have noted vocal opposition from the tech sector and privacy/civil liberties advocates. Days before the Senate passed the bill, The Guardian counted Apple, Google, Twitter, and the Wikimedia Foundation (which runs Wikipedia), among 22 tech companies that disapproved of CISA. The Washington Post’s tech policy blog, The Switch, quoted Apple’s statement that “[t]he trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” Computerworld noted at the time that “the very companies it purports to protect don’t want it.” Interestingly, although web services companies opposed CISA, infrastructural telecommunications companies like AT&T, Verizon, Comcast, and T-Mobile, were silent on or supportive of CISA.

Wired criticizes the Senate for rejecting privacy protections and instead passing it with “privacy-invasive features fully intact,” adding that computer security researchers do not believe information sharing will do much to help cybersecurity. One of the problems, it writes, is that the definition of cybersecurity threat has too broad a scope — encompassing electronic communications, financial data, and even health records — due to the language “notwithstanding any other provision of law.” Moreover, CISA exempts shared information from the Freedom of Information Act, and sets aside civil liability in similarly broad language: “No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures” in accordance with the act’s “voluntary” program. S. 754 at § 106. InfoWorld echoes Wired’s sentiment, pointing out that the federal government, which itself has a “poor track record” with leaking personal information, would be entrusted with a “treasure trove” of information that could include emails, credit card statements, and prescription drug purchases.

In the greater context of privacy in the electronic age, which is largely governed by pre-World Wide Web legislation such as the Electronic Communications Privacy Act, CISA appears to modernize cyberlaw to confront the realities of security threats in 2015. At the same time, it aligns with other ongoing efforts in the United States to lower the level of privacy in electronic data. The Department of Justice has previously argued that users sacrificed their expectation of privacy by entrusting data to a service provider, according to the New York Times. If CISA becomes law, it will further erode the expectation of privacy against the government in personal information stored electronically, because more of it will be encompassed in the indicators shared with the federal government — beyond the reach of civil liability.

Frederick Ding is a 1L at the Harvard Law School who is interested in free speech, privacy, and national security.