By: Christopher W. Folk
In the eleventh hour of the twelfth month in the year 2015, the Cybersecurity Information Sharing Act (“CISAâ€)  (Pub. Law No. 114-113)[1], was pushed through Congress as part of an omnibus spending bill that was subsequently signed by President Obama.[2] This bill has been hailed by its sponsors as long overdue and an important step in enhancing our nation’s cybersecurity; while privacy advocates have decried this as the government’s further encroachment on privacy rights.[3] CISA 2015 is an expansive and wide-reaching law and consequently, our focus will be limited to the information sharing portion of this law.
In order to understand CISA 2015 it is important to contemplate what the act covers. The sponsors of this legislation, as well as the White House, have indicated that this act is focused on information sharing between private and federal entities, purportedly to enhance the United States’ cybersecurity posture; whereas privacy advocates claim this is merely an expansion of the cyber-surveillance state.[4] CISA 2015 defines cybersecurity threat as “…an action, not protected by the First Amendment …, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.â€[5] This seems to pretty much cover everything and anything and of particular interest is the fact that the key language “…that may result in an unauthorized effort…†seems to imply that merely taking an action that has the potential to impact an information system is a cybersecurity threat and that no actual harm must occur. The crux of this is about information sharing, thus, if a private entity shares information with a federal entity the bar is set exceedingly low with respect to establishing that there is a possibility that something could be a threat. This shifts the burden of due diligence and consequently information sharing can occur without the entity really examining the issue and the context to see if harm is “likely†to occur. There is a vast expanse between something that is possible and something that is likely. Under these auspices, an entity could share almost anything that had even an infinitesimal chance of causing harm.
The CISA act addresses areas such as authorization for monitoring and identifying cybersecurity threats, the sharing of cybersecurity threats between federal and non-federal entities, as well as protections from liability related to sharing cybersecurity threats. CISA 2015 provides entities with the authorization to monitor information systems, implement defensive cybersecurity measures, and share cyber threat indicators or defensive measures so long as these actions are done under the guise of cybersecurity purposes.[6] With respect to liability limitations and information sharing protections, none of the information shared for cybersecurity purposes will be made generally available to the public and is exempt from among other things, FOIL laws, preventing the disclosure of any of the shared information.[7] While this may have the effect of helping to encourage information sharing it could also have a chilling effect on oversight as an entity can simply claim that information being sought under disclosure mandates is excluded since it relates to “cybersecurity threat information sharingâ€. Furthermore, section 106 of CISA 2015 directly addresses liability and states that no cause of action can be initiated or continued in any court against any private entity related to (1) monitoring of an information system or, (2) the sharing or receipt of any cyber threat indicator or defensive measure, so long as these actions are done in accordance with CISA 2015 (which of course relates back to the definition applied to cybersecurity threat).[8] As a result of this language, both the Federal Trade Commission (“FTCâ€) and the Federal Communications Commission (“FCCâ€) have effectively been de-fanged by this legislation. Now, neither the FTC nor the FCC can pursue private entities who monitor their information systems so long as the entity establishes that they are acting pursuant to cybersecurity purposes.
In some respects CISA 2015 serves to leverage President Obama’s Executive Order 13691 which was designed to promote the creation of information sharing and analysis organizations (ISAOs) in order to encourage the sharing of cybersecurity threat information between the private sector and the government.[9] While this could be viewed as a positive step one can also counter that this encourages the widespread and continued intrusion into our everyday cyber lives. For CISA 2015 does not just encourage information sharing it also severely limits the liability of any entity that shares information. Whether or not that information ultimately ends up containing personally identifiable information (“PIIâ€) or is ultimately not connected to any viable cybersecurity threat. CISA 2015 does require that non-federal entities review information for PII prior to sharing but the threshold is once again exceedingly low. The act allows the entity to either review the information and remove PII that they “know†identifies a specific individual; or in the alternative an entity may develop a technological solution to remove information unrelated to a cybersecurity threat that the entity “knows†at the time of sharing to be personal information.[10] Here knowingly as defined in the model penal code means essentially that the entity must be “practically certain†that their conduct (e.g. the sharing of information) would both (1) not be connected to a cybersecurity threat, and (2) contain information that would identity a specific individual.[11] In addition to the encouragement of sharing, under section 105, cybersecurity threat information is shared with all of the federal entities subject only to such controls as must be unanimously agreed to by the federal entities.[12] Consequently, any information processing is weighed in favor of expediency and against the unintended release of PII, in spite of the potential collateral damage associated with the sharing of PII. Within this same section, CISA lists a range of authorized activities which allow Federal, State, and Local law enforcement to use cyber threat information for investigations covering a wide range of offenses. Essentially allowing the government access to and use of information that would otherwise be protected under the fourth amendment provisions against unreasonable search and seizures as well as the probable cause requirements.[13]
Effectively, the public outcry following the Snowden revelations about widespread cyber-surveillance were overcome as this expansive bill pushed through the House and the Senate and was dutifully signed by President Obama. As though the encouragement and promotion of information sharing did not have enough potential for misuse, this Act goes a step further by declaring that all of this information is exempt from the standard disclosure laws and that entities involved in cybersecurity threat analysis, monitoring, defense, and sharing are exempt from lawsuits. To further ensure that no hurdles exist, the definition of cybersecurity threat adopted in this legislation is overly broad and covers everything unless a first amendment exception can be successfully asserted – which is no small task. In short, the Cybersecurity Information Sharing Act of 2015 seems to stack the deck in favor of entities and against individuals’ privacy rights.
[1] Cybersecurity Information Sharing Act of 2015, Pub. L. 114-113, 129 Stat. 694, 694-744 (2015).
[2] Christopher Harvie & Cynthia J. Larose, Happy New Year – Cybersecurity Information Sharing Act, National Law Review (Jan. 6, 2016), http://www.natlawreview.com/article/happy-new-year-cybersecurity-information-sharing-act.
[3] Jack Detsch, Is the Cybersecurity Act really government spying in disguise?, The Christian Science Monitor (Dec. 23, 2015), http://www.csmonitor.com/World/Passcode/2015/1223/Is-the-Cybersecurity-Act-really-government-spying-in-disguise.
[4] Robyn Greene, Cybersecurity Information Sharing Act of 2015 is Cyber-Surveillance, Not Cybersecurity, Open Technology Institute (Apr. 9, 2015), https://www.newamerica.org/oti/cybersecurity-information-sharing-act-of-2015-is-cyber-surveillance-not-cybersecurity/.
[5] Cybersecurity Information Sharing Act of 2015, supra note 1, at 696.
[6] Id., at 699-700.
[7] Id., at 702.
[8] Cybersecurity Information Sharing Act of 2015, supra note 1, at 709-10.
[9] The White House, Office of the Press Secretary, FACT SHEET: Executive Order Promoting Private Sector Cybersecurity Information Sharing, (Feb 12, 2015), https://m.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector-cybersecurity-inform.
[10] Cybersecurity Information Sharing Act of 2015, supra note 1, at 701.
[11] Model Penal Code §2.02(2)(b) (Am. Law Inst., 2016).
[12] Cybersecurity Information Sharing Act of 2015, supra note 1, at 695, 703 (Federal Entity includes: Dept. of Commerce, Dept. of Defense, Dept. of Energy, Dept. of Homeland Security, Dept. of Justice, Dept. of the Treasury, and the Office of the Director of National Intelligence).
[13] Greene, supra note 4.