Note: The U.S. Chamber of Commerce will host its fourth annual Cybersecurity Summit on Oct. 6 in Washington. To learn more about the event, click here.
Some privacy groups say that personal information is typically necessary to identify cyber threats, and that cybersecurity information-sharing legislation is equal to surveillance.
That myth and others are used to oppose positive information-sharing legislation, particularly S. 754, the Cybersecurity Information Sharing Act (CISA) of 2015.
Related: Cybersecurity Information-Sharing Legislation: Separating Fact From Fiction
The Senate is expected to vote on the legislation this fall when it returns, so we figured we would take this August to set the record straight and debunk five myths held by a small but vocal group of lawmakers and privacy interests.
Myth: Shared cyber threat information is broad in scope.
Fact: CISA’s definition of cyber threat indicators (CTIs) is very limited. Businesses and government entities may only share the tactics, techniques, and procedures used by malicious actors to compromise the computer networks of their victims. In the vast majority of cyber incidents, CTIs do not implicate a person’s behavioral, financial or social information.
Myth: CISA is a surveillance bill.
Fact: CISA does not authorize the government to surveil individuals, such as targeting crimes unrelated to cybersecurity. First, a revised version of CISA eliminates the government’s ability to use CTIs to investigate and prosecute “serious violent felonies” — which is a significant pro-privacy change to the bill.
Second, network “monitoring” conducted by businesses under CISA is limited to cybersecurity purposes, similar to CTIs. Monitoring can only be conducted on a company’s own information systems. Further, monitoring under CISA is not intended to equate the meaning of “monitoring” as used in the context of federal criminal wiretap law or electronic surveillance under the Foreign Intelligence Surveillance Act (FISA). Any other monitoring by companies would require authorization beyond what CISA grants. Third, Sen. Dianne Feinstein, a California Democrat, said on the Senate floor last week that CISA is not a surveillance bill, and that the bill was amended several times to address critics’ concerns.
[CISA] is not a surveillance bill. . . . It gives the Attorney General [and the Secretary of Homeland Security] the obligation to come up with secure guidelines to protect private information. . . . We have taken every step to prevent privacy violations from happening under this bill. Yet there are individuals who still raise that as a major concern. I believe it is bogus. I believe it is a detriment to us in taking this first step to protect our American industries. If we don’t pass it, the thefts are going to go on and on and on.
Myth: The bill allows companies to use offensive measures or “hack back.”
Fact: CISA does not permit so-called hacking back — companies are not authorized to destroy or render computer systems unusable. The bill ensures that “defensive measures” (DMs) are properly bounded. The managers’ amendment clarifies that companies are not allowed to gain unauthorized access to a computer network.
Myth: CISA does not require businesses to remove personal data from threat indicators.
Fact: CISA contains multiple, overlapping provisions to guard and respect privacy. For example, in those rare instances where an individual’s personal information is embedded within CTIs or defensive measures, CISA calls for public and private entities to remove such personal information unrelated to a cyber-threat when sharing CTIs and DMs — and the federal government must do the same.
Myth: Businesses are encouraged to share information with the Department of Defense (DoD) and the National Security Agency (NSA).
Fact: Businesses are not granted liability protection when sharing CTIs with the DoD and the NSA — which preserves the status quo. CTIs that businesses pass on to the federal government must go through the Department of Homeland Security (DHS), which is a civilian entity.
CISA’s authors, Sens. Richard Burr, a Republican from North Carolina, and Feinstein have recently revised their bill to increase its privacy protections. Among other things, the managers’ amendment further limits the sharing of cyber threat data to “cybersecurity purposes.” Closely related, the revised measure eliminates the government’s use of cyber threat indicators to investigate and prosecute “serious violent felonies,” thus putting to rest false claims that CISA is a surveillance bill. The managers’ amendment also ensures that the use of DMs does not allow an entity to gain unauthorized access to a computer network. The bill writers have worked diligently to address the concerns of privacy and civil liberties organizations.
This bipartisan bill – a workable compromise among many stakeholders – would help businesses achieve timely and actionable situational awareness to improve theirs and the nation’s detection, mitigation, and response capabilities against cyber threats.
CISA safeguards privacy and civil liberties; it is not a surveillance bill.