Computers, Privacy & the Constitution

The Cyber Intelligence Sharing and Protection Act

I. Introduction

This Article will explain the proposed Cyber Intelligence Sharing and Protection Act (“CISPA”) and analyze the policy thereof.

II. The Proposed Law

A. History

CISPA was initially introduced into the House of Representatives as H.R. 3523 in 2011. After rejection by the Senate, it was reintroduced into the House as H.R. 624 on February 12, 2013. H.R. 624 passed in the House on April 18, 2013. Prospects for the CISPA are uncertain, as President Obama has threatened to veto it.

B. Information Sharing

The stated purpose of the Act is “to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.” Pursuant to this purpose, the Act amends Title XI of the National Security Act of 1947 to provide that the intelligence community may share “Cyber Threat Intelligence” with specified private-sector entities, and that either a “Cybersecurity Provider” or a “Self-protected Entity” may (but is not required to) use its “Cybersecurity Systems” to obtain “Cyber Threat Information” and share such information with any other entity (including the Federal Government). Currently, the intelligence community cannot share such information to entities without security clearance.

A “Cybersecurity Provider” is a non-Federal entity that provides goods or services intended to be used for cybersecurity purposes, while a “Self-Protected Entity” is an entity, other than an individual, that provides goods or services for cyber-security purposes to itself. “Cyber Threat Information” means information “directly pertaining to: (i) a vulnerability of a system or network of a government or private entity or utility, (ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network, (iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or provide entity or utility, or (iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility…”

If such information is shared with the Federal Government, it is exempt from disclosure under the Freedom of Information Act.

C. Limitations on Federal Government Information Use

The Federal Government may use and retain such received “Cyber Threat Information” only for: (i) “Cybersecurity Purposes,” (ii) the investigation or prosecution of “Cybersecurity Crimes,” (iii) the protection of individuals from the danger of death or serious bodily harm, or (iv) the protection of minors from sexual exploitation or serious threats to physical safety. The Federal Government can only affirmatively search “Cyber Threat Information” for a purpose listed in the preceding sentence.

A “Cybersecurity Purpose” is the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network. A “Cybersecurity Crime” is (i) a crime under a Federal or State law that involves (A) efforts to deny access to or degrade, disrupt, or destroy a system or network, (B) efforts to gain unauthorized access to a system or network, or (B) efforts to exfiltrate information from a system or network without authorization, or (ii) the violation of a provision of Federal law relating to computer crimes. If the Federal Government intentionally or willfully violates the limitations on its disclosure, use or protection of such information, the Act creates a private cause of action. However, because such information cannot be accessed through FOIA, it will be a very tough action to sustain.

In addition to the aforementioned use/retention restrictions, the Federal Government cannot use the following shared information if it contains identifying information: (i) Library circulation records, (ii) Library patron lists, (iii) Book sales records, (iv) Book customer lists, (v) Firearms sales records, (vi) Tax return records, (vii) Educational records, or (viii) Medical records.

The Act expressly states that nothing therein shall authorize the Department of Defense, National Security Agency, or “any other element of the intelligence community” to target a United States person for surveillance, and each private entity that shares information with the Federal Government can place restrictions on the sharing of such information. The Act directs specified Federal Agencies to create and review policies governing the receipt, use and retention of non-publicly available cyber threat information to minimize the impact on privacy and civil liberties. Such policies would be subject to congressional oversight.

III. Analysis

The proposed Act is a classic example of an attempt to balance security and liberty. Certainly, the protection of cyber networks from attacks resulting in either (i) disclosure of individual, corporate, or governmental confidential information, or (ii) abatement in the availability of such networks is an important goal. The availability of such networks is essential for a functioning modern society, and protection against disclosure is important for our national security, business competitiveness, and individual civil liberty. Similarly, protection of individuals against death or serious bodily harm and minors from sexual exploitation are important goals. However, such goals must be balanced with threats to civil liberty resulting from the availability of such information. An essential base to a free society is the right to privacy. The sharing without consent of an individual’s information relating to internet and phone use is a serious threat to this essential base.

The values supporting information sharing can be justify such sharing if measures are taken to address civil liberties concerns. Information that directly or indirectly identifies individuals should not be shared. Those protecting our security could still defend our networks and learn about attacks from a given entity (like another state) without knowing anything about individuals themselves. Additionally, information regarding the general use of such information should be obtainable via FOIA, so as to give force to idea of private suits as enforcing the use limitations on the Federal Government. Similarly, suits should be allowed against private entities that share individually identifying information. These additional measures are essential and must be strictly enforced to ensure that we do not slide down a slippery slope into an Orwellian abyss.

-- CoryNelson - 23 Apr 2013

 

Navigation

Webs Webs

r1 - 23 Apr 2013 - 18:31:37 - CoryNelson
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM