The Knock-Down, Drag-Out Fight Over Cybersecurity Legislation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.slate.com/articles/technology/future_tense/2016/01/how_the_privacy_community_made_cybersecurity_legislation_better.html

Last year, the Cybersecurity Act of 2015, a bill allowing companies to
share information about cyberthreats with the government and one another,
became law. This marked the conclusion of a long battle between the
corporate and government interests that supported the bill and the privacy
community, which strongly opposed it.

Though the end product was a serious step back for privacy and likely for
cybersecurity as well, the version that passed is significantly better than
where legislation was when this debate started. Those improvements are the
direct result of the privacy community—including my own organization, New
America’s Open Technology Institute. (Disclosure: New America is a partner
with Slate and Arizona State University in Future Tense.) Despite corporate
interests massively outspending the privacy community to lobby Congress
(140 to 1 in 2011 alone), the privacy community repeatedly beat back bad
legislation because it included dangerously weak privacy protections,
threatened Americans’ civil liberties with overbroad law enforcement use
authorizations, and could undermine cybersecurity rather than enhance it.

In the legislative boxing match between privacy advocates on one side and
corporate and government interests on the other, privacy ultimately
lost—but it was far from a knockout, and privacy advocates gave as good as
they got from the first round to the last. An examination of the more than
half-decade battle over cybersecurity information sharing demonstrates just
how much impact the advocates and activists had on the ultimate legislation.

Round 1: The Kill Switch and Federalization of Critical Infrastructure
Security

The debate around cybersecurity and information-sharing legislation began
in earnest in 2009, with the introduction of the Cybersecurity Act of 2009
by then­–Senate Intelligence Committee Chairman Jay Rockefeller, D–West
Virginia.

Rockefeller’s bill included a provision called a “kill switch,” which would
have allowed the president to shut down Internet traffic in the case of
emergency or for a national security purpose, and to disconnect critical
infrastructure systems such as those controlled by banks,
telecommunications providers, and energy providers. Additionally,
notwithstanding any other provision of law, the bill would have given the
secretary of commerce access to “all relevant data” concerning critical
infrastructure networks, including unnecessary personally identifiable
information and communications content.

Groups like the Electronic Frontier Foundation immediately blew the whistle
on the Cybersecurity Act, and it quickly became clear that the Senate would
not be able to move forward with the bill.

Round 2: CISPA, the NSA, and Hacking Back

In 2011, the House Intelligence Committee jumped on the opportunity to lead
on the issue with the introduction of the now-infamous Cyber Intelligence
Sharing and Protection Act. While CISPA did not include a kill switch or
allow for completely unfettered government access to critical
infrastructure information—a win for the privacy community that emerged
from the Round 1 debate—it contained many seriously troubling provisions.

CISPA would have undermined civilian control of the Internet by allowing
companies to share information directly with the National Security Agency.
It would have permitted the government to use that information in
investigations into cybersecurity threats, but also into violent crimes
regardless of imminence or a specific threat, and for national security
purposes. (“National security purposes” is basically intelligence community
code for unlimited national security investigations and other
investigations unrelated to cybersecurity. Think NSA warrantless
wiretapping and bulk collection minus court approval and oversight, or even
a requirement for imminence or a specific threat.) Finally, CISPA would
have given companies complete liability protection against any harms that
resulted from sharing or receiving information under the bill, and for
retaliating against perceived threats, also known as “countermeasures” and
“hacking back,” so long as the company claimed that it acted in good faith.

The privacy community flexed its muscles and unleashed a massive wave of
opposition from both civil society organizations and constituents at the
grassroots level. After a series of letters to Congress, call campaigns,
and email actions opposing CISPA, and despite a few insufficient
amendments, the White House issued a veto threat, condemning CISPA as a
threat to privacy and cybersecurity, and citing many of the same concerns
raised by privacy advocates.

During the next Congress, CISPA’s sponsors reintroduced the bill with some
small changes. However, with the exception of removing the national
security purpose use authorization, all of the same significant problems
remained.

Once again, the privacy community and its grassroots base went to work to
oppose the bill, and again, the White House issued a veto threat. While the
debate around CISPA 2.0 was raging, the Senate was quietly working on its
own proposal, theCybersecurity Act of 2012, which, though imperfect, did a
much better job of addressing privacy concerns than any other proposals
that had been considered. Nonetheless, Senate Republicans killed that
package, claiming that several of its provisions unrelated to information
sharing would have led to increased regulation.

Round 3: CISA and Passage of the Cybersecurity Act of 2015

> From the ashes of CISPA rose the Cybersecurity Information Sharing Act of
2014, proposed by Sen. Dianne Feinstein, the then-chairwoman of the Senate
Intelligence Committee. As introduced, CISA brought both good and bad: It
would have authorized hacking back and other countermeasures, albeit
without liability protection; allowed direct sharing with the NSA; and
included a requirement to remove personally identifiable information,
albeit a weak one. It reined in some of CISPA’s expansive law enforcement
use authorizations by adding an imminence requirement to threats of death
and violence, but also expanded the list of authorized uses by allowing
information to be used for noncybersecurity investigations, such as those
into Espionage Act and Trade Secrets Act violations. Finally, CISA provided
liability protections for any action short of gross negligence, but they
were still not as expansive as those included in CISPA.

Yet again, the privacy community rallied against CISA, issuing letters of
opposition to the Senate and to the president. Democratic Senate leadership
took note of the privacy community’s concerns and closed out the 113th
Congress without taking action on CISA, despite significant pressure from
corporate interests.

After the Sony hack was revealed in November 2014, the impatience of the
intelligence community, the White House, the U.S. Chamber of Commerce, and
trade associations like the Financial Services Roundtable reached its peak,
and it became clear that Congress was going to pass a bill—any bill—so it
could say that it had finally done something.

Over the course of 2015, the House passed two bills and the Senate passed
an updated version of CISA. A comparison of all three bills shows that each
had better and worse privacy protections in varying respects. Over the
opposition of major tech companies like Apple and Dropbox and tech industry
trade associations, 71 civil society organizations and security experts,
and grassroots activists, Congress negotiated a final version of CISA,
renamed it the Cybersecurity Act of 2015, and passed it as Subdivision N of
the omnibus bill that provided the funding necessary to prevent a
government shutdown over the holidays. Clearly it was still so
controversial that congressional leadership couldn’t risk allowing it to
get its own vote, and instead forced its passage by ramming it in a
must-pass bill.

The final bill is a failure for anyone who cares about privacy or
cybersecurity. But because of the work of the privacy community, it’s leaps
and bounds better than when legislation was first introduced in 2009.

As enacted, CISA imposes a requirement that companies review information
for personally identifiable information and remove any that it knows is not
directly related to the cyberthreat before sharing. It only provides
liability protection for sharing information with the Department of
Homeland Security, or another civilian entity designated by the president.
And it only provides liability protection to companies that act within the
rules and requirements of the bill, without providing companies with a
good-faith defense.

It authorizes companies to use defensive measures to protect against
perceived threats, which still raises some concerns that cybersecurity
could be undermined. Importantly, however, it does not authorize companies
to retaliate against possible threats by hacking into other people’s
networks as previous bills did. Finally, it authorizes law enforcement to
use information for noncybersecurity investigations, such as Espionage Act
and Trade Secrets Act violations, but it does impose a “specific threat”
requirement for any investigation into threats of death, serious bodily
injury, terrorism, or use of weapons of mass destruction, and serious
economic harms.

These limitations are overbroad and in some instances are even a step back
from previous versions of cyber legislation. But the end result is
significantly better than it would have been had the privacy community not
intervened, and had Congress passed the Cybersecurity Act of 2009 or CISPA
and authorized kill switches, unrestrained sharing of Americans’ personal
information with the NSA, nearly limitless use of that information by the
NSA and FBI, and complete liability protection for hack backs and
information sharing.

Fight Over: We May Have Lost, but You Should See the Other Guy …

The debate over information sharing took the better part of a decade and
ended with no one being completely happy with the outcome—bill supporters
and members of Congress were left looking bad, while the privacy community,
despite winning important gains, was left feeling burnt and unsatisfied.
This all happened because legislators and companies seemed to assume either
that Americans didn’t care about their privacy or that the privacy
community didn’t have the power to influence the debate. On both counts,
they were dead wrong. The privacy community not only represents the
interests and the opinions of millions of Americans and of people all over
the world; it also has the will and the means to effect change. Thankfully,
that knock-down, drag-out fight provided a road map of sorts that might
help us avoid the same pitfalls in the future.

First, the privacy community has the power to win significant improvements
to legislation through effective advocacy and analysis, and grassroots
activism. Second, Americans care a lot about their privacy. To avoid
multiyear fights and delays on future bills, members of Congress should
start baking privacy protections into their legislation, which will require
consulting with activists and advocates, and not just industry, at the
outset. If we all keep those two lessons in mind, privacy and cybersecurity
will be more likely to win, and Congress might actually find that it can
get something done in a timely manner.

Those lessons are all the more important since we will face many more
debates over cybersecurity and privacy. The privacy and security
communities and industry have banded together to defend the importance of
encryption, while the intelligence and law enforcement communities seek to
undermine it. There will be other debates of government hacking and
vulnerabilities disclosure, over NSA surveillance and much more. Lawmakers
and policymakers need to get serious about the fact that the privacy
community isn’t going anywhere, but it is growing and geared up for the
next debate.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.