Wikilegal/CISPA

From Meta, a Wikimedia project coordination wiki

The Cyber Intelligence Sharing and Protection Act[1] (“CISPA”) is proposed cybersecurity legislation[2] that allows organizations to collect and share information about threats against networks and systems so that the private sector can defend itself against such attacks.[3] CISPA allows organizations to monitor their networks and systems and share information with other organizations or the federal government for the purpose of “ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network.” The statute says “a system or network,” so it is unclear precisely whose network satisfies this definition.[4]

To encourage information collection and sharing, CISPA exempts collection and disclosure from state and federal laws, such as public disclosure, antitrust, and wiretapping statutes; shields organizations from liability; requires the government to keep disclosed information confidential; and prevents the government from sharing disclosed information with regulators.

CISPA’s supporters generally include Facebook, Microsoft, AT&T, and Google. The opposition to CISPA includes the Center for Democracy and Technology, the Electronic Frontier Foundation, the American Library Association, and the American Civil Liberties Union. Critics of CISPA object to the absence of protections for personal private information, broad and vague terminology, and the low “good faith” standard for exemption from liability.

This summary is based on the April 19, 2012 print of the bill.

Part 1: Cyber threat intelligence received from the government[edit]

The first part of CISPA[5] establishes procedures for certified private entities, such as hosting providers, ISPs, or other service providers, to receive “cyber threat intelligence” from government intelligence agencies within security parameters. Receiving a security clearance is a long and expensive process, so CISPA streamlines intelligence sharing by creating a class of “certified entities,” which are private organizations, such as software companies, websites, or service providers, that meet minimum security requirements, such as intelligence clearances.[6] This section allows the government to share intelligence and classified information—it does not empower private entities or the government to collect information beyond what is otherwise allowed by law. The first part is not as objectionable as the second part of CISPA.

Part 2: Cyber threat information collection and sharing among private organizations and with the government[edit]

The second part of CISPA[7] permits an organization to collect and share so-called “cyber threat information” with “any other entity” in broadly-defined circumstances. Specifically, for a “cybersecurity purpose,” any organization, such as an ISP or hosting provider, may collect this “cyber threat information” using its “cybersecurity system” to protect its rights and property.[8] An organization may share cyber threat information with any other organization for a cybersecurity purpose.[9] The crux of the controversy is over the breadth of these definitions, the virtually unrestricted ability to share such information with other organizations and the federal government, and the lack of clarity over how that information may be used.

The definitions:

  • A cybersecurity purpose is one to ensure “the integrity, confidentiality, or availability of, or safeguarding a system or network....”
  • Cyber threat information is information “directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity....”
  • A cybersecurity system is a system designed or employed with a cybersecurity purpose.
  • Cyber threat intelligence is cyber threat information in the possession of an element of the intelligence community.
  • All four of the above definitions specifically include information pertaining to the protection of a system or network from: “(A) efforts to degrade, disrupt, or destroy such system or network; or (B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information.”

The hypotheticals laid out at the end of this note suggest how broadly some of these provisions can be construed.

Limitations on the use of shared information[edit]

An organization may choose to anonymize or minimize information before sharing it. Information shared with the government will be considered proprietary, will not be released under FOIA or state information disclosure laws, and will not be shared with regulators. A company may not use information received under CISPA to gain an unfair competitive advantage.

If the government intentionally or willfully violates the applicable limitations on use, the government may be liable for actual damages. This provision was added to encourage companies to be comfortable sharing information with the government.

No mandatory disclosure[edit]

CISPA does not require any organization to collect or share cybersecurity information. If an organization receives security protection from a third-party, like an online security firm, the protected organization decides how and with whom information may be shared. The protected organization’s consent is required before the security protection firm may share information with the government or other organizations.

For example, an ISP may hire a security firm to collect and share information with other ISPs for security purposes, but that ISP must authorize how and with whom the security firm can share information. The ISP’s customers’ consent is not required because only the ISP, not the customer, is considered the “protected entity” under CISPA.

Exemption from liability[edit]

An organization may not be held liable under any civil or criminal, state or federal law for collecting, sharing, or even “decisions” made on cybersecurity information, if the organization acts in “good faith” and in accordance with CISPA. In general, good faith is a vague standard meaning an absence of bad faith or an intent to deceive.[10]

Impending amendments to CISPA[edit]

CISPA is currently in the House Intelligence Committee, but it is planned to be introduced to the floor of the House of representatives the week of April 23, 2012. The House Rules committee reported a version of the bill with changes recommended by the House Committee on Intelligence on April 19, 2012.

Amendments to CISPA from members of the House of Representatives were due at 4:30 p.m. on April 24, 2012,[11] so the text of the bill may change. Representatives have expressed criticism over CISPA’s lack of requirements to remove personally identifiable information, CISPA’s limited control of the government’s use of disclosed information, and CISPA’s broad exemption from liability that may prevent recourse for negligent or reckless behavior.

By April 25, 2012, Representatives submitted a total of 43 different amendments to the bill.

Hypothetical situations[edit]

Situation 1. Network attack[edit]

A website is the target of a denial-of-service attack. The website may collect information about this attack to safeguard their system. The website’s operators may voluntarily share information on the attack with ISPs and the government for the purpose of ensuring the integrity of the ISPs’ or the government’s networks or systems. The ISPs may then use this information to determine the source of the attack, identify the perpetrators, and respond to protect their networks. The ISPs may share information about the perpetrators with any other organization, including the website. Such information is “cybersecurity information” because it directly pertains to the threat to a system, and it is shared for a “cybersecurity purpose” because the purpose is safeguarding a system.

The ISPs are not inhibited by any state or federal laws that would discourage sharing information, such as antitrust laws.[12] The ISP would also be immune from liability if it disclosed, in good faith, personally identifiable information about its users for the purpose of safeguarding a network or system.

Situation 2. Monitoring hosted emails for threats[edit]

A company provides web hosting services and hosted email services. For the purpose of safeguarding its network and system, the company may collect information from its customers’ hosted email that directly pertains to a threat to the company’s network or system.

The company is not required to inform its customers, which could include websites, companies with email lists, or nonprofit organizations with hosted documents, that the company is monitoring their communications. The company is exempt from liability if it acts in good faith and in accordance with CISPA.

Situation 3. Misappropriation of private proprietary information[edit]

A company believes that a user has unauthorized access to its network and is misappropriating private proprietary information. The company believes that the user is uploading the misappropriated information to another website.

The company may collect information on threats to its own network, including information on the user’s efforts to gain unauthorized access to the company’s network. The definition of “cyber threat information” includes information pertaining to the protection of a private network from efforts to gain unauthorized access to the network to steal or misappropriate private information.

It is unclear if the other website may also collect information on the user. The website’s information on the user pertains to a threat to “a network” but not the other website’s own network. CISPA only allows the website to collect information to protect its own rights and property.

The website may choose to collect information on the user to ensure that he or she is not a threat to its own network. The website may also believe that monitoring a threat to the company’s network will protect its own rights and property. It is unclear if a website may collect information for one reason and then share it for another.

This ambiguity is troublesome. Under a broad interpretation these provisions, companies may bypass the laws that protect customers’ privacy, such as public disclosure laws or the Stored Communications Act. Under CISPA, the company and the website’s operators are not liable for any violations of their terms of service or other laws, as long as they acted in good faith and in accordance with CISPA.

Situation 4. Upstream or downstream service providers[edit]

If the website’s operators choose not to disclose their user’s information in the previous hypothetical, the company may still be able to receive information from the website’s upstream or downstream service providers, such as the website’s hosting service, an ISP, or a hosted email provider.

A service provider may voluntarily collect and share information about their own networks, including the website’s use of their networks, to protect their own rights or property.[13] The same ambiguities from the previous hypothetical apply as to what degree a company may collect information based on a threat to another’s system or network.

Neither the website’s operators nor the user may bring an action, such as breach of contract, against the service providers as long as the service provider acted in good faith and in accordance with CISPA.

External resources[edit]

References[edit]

  1. H.R. 3523, Cyber Intelligence Sharing and Protection Act, Rules Committee Print 112-220 (“CISPA”) (accessed April 23, 2012)
  2. Other pending cybersecurity legislation includes the PRECISE Act (H.R. 3674), the Cybersecurity Act of 2012 (S.2105), and the SECURE IT Act (S.2151).
  3. H.R. Rep. No. 112-445 (2012), Report with Minority Views to accompany H.R. 3523 (the “Intelligence Committee Report”) at 4-6 (accessed April 23, 2012).
  4. This is significant because the “cybersecurity purpose” is the main limiting principle of CISPA. The definition alone allows safeguarding any network or system. Section 1104(b)(1)(A)(i) limits collection to the protected entity’s rights and property, which would mean that the cybersecurity purpose must relate to the protected entity’s own system or network. The Intelligence Committee Report at 11 contemplates something broader than an entity’s own network:
    In this context, it is the Committee’s intent that the protection of the rights and property of a corporate entity includes, but is not limited to, the protection of the systems and networks that make up its own corporate internal and external information systems but also the systems and networks over which it provides services to its customers.
  5. § 1104(a)
  6. See Intelligence Committee Report at 9 for a description of the purpose of this section.
  7. CISPA § 1104(b)
  8. CISPA §§ 1104(b)(1)(A)(i) (for organizations using a cybersecurity provider) and 1104(b)(1)(B)(i) (for organizations who act as their own cybersecurity provider)
  9. CISPA §§ 1104(b)(1)(A)(ii) (for organizations using a cybersecurity provider) and 1104(b)(1)(B)(ii) (for organizations who act as their own cybersecurity provider)
  10. The Intelligence Committee Report at 13-14 illustrates that this provision creates a broad exemption from liability: “the Committee expects that good faith will be presumed in the absence of substantial evidence to the contrary.”
  11. House of Representatives Committee on Rules, Amendment Process Announcement for H.R. 3523 (accessed April 23, 2012).
  12. Intelligence Committee Report at 10:
    Potential barriers to such sharing that would be addressed by this provision include, but are not limited to, provisions of federal antitrust law, which some believe may limit sharing of cyber threat information between competitors in the private sector, as well as provisions of other federal laws including the telecommunications laws.
  13. The Intelligence Committee Report at 11 believes that CISPA allows upstream and downstream service providers to share information on related threats:
    For example, the Committee expects that an internet service provider or telecommunications company may seek to protect not only its own corporate networks but also the backbone communications systems and networks over which it provides services to its customers. … The Committee specifically intends the authorities provided in subsection (b) to permit private sector entities to protect such systems and networks.