CISPA-like zombie bills continue to rattle around Congress. After the Obama Administration released its own computer security information sharing bill a few weeks ago, Democratic Senator Tom Carper followed through with The Cyber Threat Sharing Act of 2015. The bill mirrors the Obama Administration's information sharing proposal.
The Cyber Threat Sharing Act is a predictable bill: it includes a "notwithstanding" clause that preempts all privacy law, it includes vague definitions, and it grants broad legal immunity for companies to share information about "cyber threats" without requiring companies to minimize unrelated personal information.
There is one good thing in the bill: it doesn't grant companies new authorities to use aggressive countermeasures outside of a company’s network. New powers were one of the numerous problems in previous bills like CISPA and CISA.
Regardless, Congress shouldn’t move the bill forward.
New Bill, Same Old Problems
The most important vague definition in the bill is "cyber threat." The entire bill operates around the definition as it's the information that companies would be authorized to collect. It's also included in the definition of what type of information companies are granted immunity for sharing.
A "cyber threat" covers any action that "may result in:" (1) unauthorized access in order to impair the integrity, confidentiality, or availability of an “information system,” or (2) “unauthorized exfiltration, deletion, or manipulation of “information that is stored on, processed by, or transiting an information system.” We have concerns with the definition since many actions involving everyday security research and penetration testing "manipulate" information on a given computer. Even when one visits a website, lines are added to a server log—technically speaking a "manipulation of information."
Broad Legal Immunity
The problems of the vague definition of "cyber threats" are compounded by the broad legal immunity granted to companies for sharing “cyber threat indicators.” Even without the immunity, the bill authorizes companies to disclose potential personal information "notwithstanding any other law." The bill does not force companies to delete irrelevant personal information before sending it to other companies or the government; it merely requires them to make "reasonable efforts" to remove identifying information. And once these "reasonable efforts" are performed, the broad immunity kicks in, allowing companies to evade otherwise applicable current legal privacy protections. A massive amount of sharing unrelated personal information is fostered by such a design process. The standard is far too low and the bill should require that any company sharing threat information delete unrelated personal information.
The Bill Punts on Privacy Protections
Another problem is that privacy protections are not written into the actual bill. For private-to-private sharing, the bill relies on private entities to identify best practices for sharing information. The track record of private self-regulation isn't so great (.pdf). The bill only involves the public if the government deems it "necessary."
When it comes to sharing with the government, the Attorney General, the Director of National Intelligence, the Secretary of Defense, and others are mandated to create procedures to protect privacy. We’re highly skeptical these officials will create effective privacy protections. The guidelines for the procedures are left inconspicuously vague. And these are also the same officials who created the so-called "privacy protections" in the surveillance context. The surveillance procedures are littered with massive loopholes to overcollect, overretain, and overshare completely innocent users' personal information. Users won't even know when their privacy was harmed due to the secrecy of the information.
The bill shouldn't rely on privacy guidelines to narrow the universe of information shared, but should explicitly mandate the information can only be shared for defensive purposes such as to harden computer systems against attacks.
Moreover, information won't just be used to protect computer systems. The "use restrictions" in the bill include any "computer crime," a term that’s not defined in the bill. Is a "computer crime" any crime that involves a computer? Or is it only crimes confined to the Computer Fraud and Abuse Act?
The Bill Should Be Killed
Senator Carper's bill in the Senate is the first bill to be introduced that fully adopts the Obama Administration's cybersecurity information sharing proposal. For now, the bill by Senator Carper has serious flaws in it that must be fixed. We fully expect more bills to be introduced so keep an eye out for further analyses.