Opponents of cybersecurity information sharing legislation will tell you that the bills have everything to do with privacy and making sure our personal information doesn't end up in the wrong hands. We couldn’t agree more, that's precisely what the bills are all about.
What they miss, though, is that the legislation would protect - not undermine - America's privacy.
Measures like the Senate's Cybersecurity Information Sharing Act (and its counterparts already approved by the House) would grant protections to companies that share details of cyberattacks with the federal government or other companies. The legislation is urgently needed, experts say, in order for our country to learn from past attacks and strengthen our defenses against cyber criminals.
Unfortunately, some privacy and civil liberties groups perpetuate the falsehood that personal information is necessary to identify cyber threats. Though wholly inaccurate, this argument is being used to oppose CISA cybersecurity information-sharing legislation, particularly CISA, which the Protecting America’s Cyber Networks Coalition is pressing the Senate to approve this fall.
On close inspection of the bill, CISA’s definition of cyber threat indicators (CTIs) limit the type of information that can be shared by businesses and government entities to essentially the most basic data that can help identify and defend against the tactics, techniques, and procedures used by bad actors to compromise the computer networks of their victims. That information does not include sensitive personal information contained in such networks.
Related: CISA’s Privacy Facts
CTIs, according to the bill, describe or identify malicious reconnaissance, a method of defeating a security control or exploitation of a security vulnerability, malicious cyber command and control, the actual or potential harm caused by an incident, among other types of cyber threat data. Listed below are some common examples of clinical information that comprise CTIs, which in the vast majority of cyber incidents do not implicate a person’s behavioral, financial, or social information.
- Domain names refer to the location of an organization on the Internet.
- Internet protocol (IP) addresses are unique numerical identifiers assigned to every computing device connected to the Internet.
- Log data can be thought of as the exhaust gas of an information system and often reveals clues associated with a cyberattack.
- Malware includes viruses, worms, and Trojan horses. Methods of delivering malware include botnets, a type of malware that allows an attacker to take control of an infected computer and launch phishing attacks. Cybercriminals send out waves of spam email in hopes of “hooking” an unsuspecting individual into clicking on an infected attachment or Web link in an email.
- All communications on the Internet are broken up into packets when they are transmitted from, for example, a smartphone to a laptop computer; the packets are reassembled when they reach the destination computer. Each packet contains “header” information, comparable to the outside of a mailing envelope, which includes IP addresses.
- Computers use different ports to handle various types of Internet traffic (e.g., email traffic is handled on certain ports, while website traffic is handled on others). Port information does not reveal traffic contents.
- Signatures refer to recognizable, distinguishing patterns associated with a cyberattack (e.g., a binary string in a virus or a particular set of keystrokes used to gain unauthorized access to a network).
- Time/date stamps are used to identify the timing of a cyberattack.
- Uniform Resource Locator (URL) is a Web (www) address.
See any personal information in there? Neither do we, because that’s not what’s being shared.
In fact, in the rare instances where an individual’s personal information might happen to be embedded within CTIs or defensive measures, CISA strictly mandates that public and private entities remove that information before sharing CTIs and defensive measures.
The bottom line is that CISA is about protecting America’s cyber systems, and the notion that it represents anything even close to a surveillance bill is patently false, no matter how far some privacy advocates are willing to try to stretch CISA’s intent to unrecognizable lengths. The fact is, CISA does not authorize the government to surveil individuals or target crimes unrelated to cybersecurity.
Related: Don't believe these five cybersecurity information-sharing myths
Senator Dianne Feinstein (D-CA), the bill’s co-author, said on the Senate floor on August 5 made this same point, explaining that CISA is not a surveillance bill, and that the bill was amended several times to address critics’ concerns:
[CISA] is not a surveillance bill. . . . It gives the Attorney General [and the Secretary of Homeland Security] the obligation to come up with secure guidelines to protect private information. . . . We have taken every step to prevent privacy violations from happening under this bill. Yet there are individuals who still raise that as a major concern. I believe it is bogus. I believe it is a detriment to us in taking this first step to protect our American industries. If we don’t pass it, the thefts are going to go on and on and on.
Senator Feinstein is not alone among lawmakers in making sharp distinctions between surveillance programs and CISA. In March, the House Intelligence Committee passed H.R. 1560, which is similar to CISA. Ranking Member Adam Schiff (D-CA) stressed, “No one is a bigger advocate for NSA [National Security Agency] reform than I’ve been.”
He added that he sees the NSA issues as separate from cyber information-sharing legislation, where “we’ve done everything we can to meet the demands of the privacy community.”
Lost in this debate is the reality that the real assault against individuals’ privacy is coming from a mutual foe - foreign powers or their proxies and cybercriminals that every day are stealing our login credentials, our payment card data, our trade secrets, and much more to cause real harm to U.S. citizens, consumers, and businesses.
The bipartisan CISA bill has been carefully written to protect privacy and preserve the role of civilian and intelligence agencies, while also spurring public-private sharing of cyber threat information with appropriate liability protections for companies to help guard us from those harmful attacks.
Which begs the question: Shouldn’t privacy advocates join businesses in pushing for CISA’s passage?
Tell Congress to Pass CISA