A Cybersecurity Bill Light on Security, Heavy on Corporate Protection

Spurred by the massive exfiltration of personal data from the Office of Personnel Management, Congress may be finally poised after years of delay to pass a new cybersecurity measure aimed at more effectively safeguarding U.S. data — even if that measure would do little to protect against the very gaps the OPM hackers preyed upon.

Three months of intense scrutiny of the OPM breach and a torrent of reports of data breaches at U.S. companies and government agencies have jump-started a long-stalled initiative to improve information-sharing about cyberthreats between the government and the private sector. The Cybersecurity Information Sharing Act (CISA), co-sponsored by Sen. Dianne Feinstein (D-Calif.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.), has emerged as the most prominent cybersecurity measure currently making its way through Congress — and the only one with any real chance of passage.

CISA’s provisions require the Department of Homeland Security to set up a real-time system for sharing threat information from the private sector with agencies of the federal government. It also gives businesses broad legal immunity for any data shared with the government under the auspices of the law.

While businesses like the measure, which widely protects them from lawsuits, computer security experts are deeply skeptical that CISA’s regime of sharing information between the private sector and the government would improve network safeguards. “The OPM breach was like a cat burglar crawling in through an unlocked window,” said Matthew Green, a professor at Johns Hopkins University and an expert in computer security and cryptography. “You solve this problem with better locks, cameras, and security systems. You don’t solve it by putting cameras in every private business in the city.”

The director of the National Security Agency (NSA), Adm. Michael Rogers, seemed to echo that skepticism last week when he said at the Wilson International Center for Scholars that information-sharing is only the “beginning” of a “much longer process” of improving cybersecurity.

Meanwhile, civil liberties groups consider the measure to be a surveillance bill in disguise that could increase the NSA’s ability to collect data from American companies — information that could include the personal information of their customers and users.

When Senate Majority Leader Mitch McConnell (R-Ky.) failed to move the measure before Congress left for its summer break, some observers thought it was dead for yet another year. But Senate aides now say it is possible that McConnell could navigate a packed calendar and a fractious, polarized Republican caucus to deliver a Senate vote this fall.

Last week’s conclusion of the debate over the nuclear deal with Iran has cleared one major item from the Capitol docket. McConnell now holds the cards that will determine whether CISA, which has garnered strong support from the business community, will hit the Senate floor. McConnell spokesman Michael Brumas said the Republican leader would still “like to get that done” but wouldn’t elaborate on the Senate’s legislative calendar beyond the Iran deal.

Senate Republican and Democratic staffers alike say they expect the measure to head toward a vote in early or mid-October, as long as Congress is able to meet an Oct. 1 deadline to fund the federal government and avoid a shutdown. “McConnell can bring it to the floor whenever he wants, and we are led to believe that the leader wants to bring this back up now,” an aide to Feinstein told Foreign Policy, speaking on condition of anonymity to discuss Senate planning. The vote, he said, would very likely occur after a federal funding deal.

In an Aug. 6 press conference before Congress left for its summer recess, McConnell underlined his ambitious plans to move the legislation. “I would love to have finished cybersecurity this week, but we have now an agreement that will allow us to finish it in September,” he said. Now, however, it is the opening weeks of October that will likely see an intense fight between business and privacy interests to determine the bill’s final shape.

If the Senate does tackle CISA this term, it will have to consider a bevy of amendments offered to the bill — 22 were added before the congressional summer break. Feinstein’s aide said the final Senate legislation will all but certainly include her so-called “manager’s amendment,” which would restrict the ability of law enforcement to use information that is shared under the scope of the law for criminal prosecutions. It will also clarify that companies cannot defend themselves in ways that would violate the Computer Fraud and Abuse Act, a move aimed at allaying fears that an earlier version of the bill would allow companies to “hack back” against those who attack their networks.

Additionally, separate amendments offered by Sens. Ron Wyden (D-Ore.) and Al Franken (D-Minn.) are meant to make the bill more palatable for civil libertarians. Wyden’s would reduce the likelihood that CISA would allow sharing of personally identifiable information among government agencies. Franken’s would tighten the definitions of “cyber security threat” and “cyber security indicator” — the categories of information authorized for sharing under CISA. Privacy advocates fear that the current version of the bill defines those threats too broadly and could make it easy to distribute people’s personal information to the NSA.

The amendments would start addressing civil liberties concerns about the bill, said Robyn Greene, policy counsel at New America’s Open Technology Institute. But even if they are all in place, she added, CISA would further open the door for information-sharing between the Homeland Security Department and the NSA — and help the government gather more electronic intelligence.

Even the Department of Homeland Security is concerned about the bill’s privacy implications. “The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections,” Deputy Homeland Security Secretary Alejandro Mayorkas wrote in a July 31 letter to Franken.

That provision lies at the heart of privacy activists’ argument against the bill. While CISA designates the Department of Homeland Security as the primary conduit for real-time sharing of cyberthreat information — like bits of malicious code, port information, and IP addresses — it also allows companies to share such data with any entity in the federal government. “What CISA allows is the flipping of a switch to start the rapid and real-time sharing of exponentially more content, content that may not be related to an attack,” said Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation.

Moreover, Mayorkas’s letter hints at what has become a bureaucratic fight between the Department of Homeland Security and the rest of the U.S. intelligence community. Having already set up mechanisms to facilitate the sharing of cyberthreat information, such as the National Cybersecurity and Communications Integration Center, the department appears keen to retain responsibility for facilitating information-sharing while ensuring that the intelligence community doesn’t muscle in on its turf.

“The [Obama] Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector,” Mayorkas wrote. “[I]f cyber threat indicators are distributed amongst multiple agencies rather than initially provided through one entity, the complexity — for both government and businesses — and inefficiency of any information sharing program will markedly increase.”

Indeed, major industries that are the targets of frequent cyberattacks have already set up information-sharing centers. The Financial Services Information Sharing and Analysis Center is considered something of a forerunner for big business, but smaller sectors have struggled to keep up. CISA is seen as a way to encourage more businesses to participate in such fora, which usually operate independently of the government.

“While the financial sector does a good job of sharing information within our tribe, we are now at a point where the attacks are so numerous and various that if other sectors were able to share, you’d be able to ratchet up everybody’s ability to fight cybercrime,” said Jason Kratovil, vice president for government affairs at the Financial Services Roundtable, an industry group.

The business community is clamoring for CISA to be passed, largely because it would offer expansive liability protection in sharing information with the federal government. Under current laws, companies already share attack information with the federal government and within industry groups. Yet some firms remain nervous about doing so, afraid that data-sharing may expose them to legal action from customers who allege mishandling of private information. Extending liability protections may be one way to expand such information-sharing. Even if it fails to do so, protection from what industry lobbyists call “frivolous lawsuits” over information shared with the government has become a key goal for business groups.

“This is about providing legal coverage,” said Matthew Eggers, a senior director at the U.S. Chamber of Commerce, who works on national security issues. “Something that has been missed in this is that businesses are looking for a signal to share data and that that’s OK.”

Senate aides say that providing such a signal could provide at least a marginal security benefit. “CISA won’t solve all cybersecurity problems, but it will make significant improvements to security. After hundreds of meetings with companies and government agencies, it’s clear the lack of statutory authority and the possibility of legal liability is hindering the flow of cyber threat information and cyber defensive measures,” a Democratic Senate Intelligence Committee spokesman said, adding that the removal of such obstacles could help companies fight back.

Nonetheless, business groups’ advocacy on the issue is indicative of the likely paltry security benefits of the bill. In an Aug. 4 letter to senators, the Protecting America’s Cyber Networks Coalition urged the Senate to pass CISA, without explicitly stating that it expected the bill to improve security. That letter by a group that calls itself a “partnership of leading business associations representing nearly every sector of the U.S. economy” described how “[r]ecent cyber incidents underscore the need for legislation” to improve “awareness of cyber threats” and enhance “protection and response capabilities.”

But the only tangible benefit of CISA that the letter identified was giving “businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators.”

This story has been updated with a statement from a Democratic Senate Intelligence Committee spokesperson.

Photo credit: Chip Somodevilla/Getty Images