By
Charlotte Walden
The
first CISPA blog established that private companies, such as Facebook and
Google, might voluntarily share cyber threat information/intelligence with the federal government. But before discussing cyber threat information in more
detail, it is best to discuss the importance of finding a bill, via the Library
of Congress’s website, that has every body
talking. By going directly to the text of the bill, the reader can decide for
themselves which claims are valid and which are not. By relying solely on what
someone else says a bill is, without ever having read the text for oneself, one
has no way to substantiate the other’s claims. Indeed, without actually reading
the text, one may very well oppose something they may have otherwise supported.
Though
reading through and researching proposed legislation is a long and arduous
process, it will help facilitate a more informed discussion about the proposed
legislation. It is
also hoped that the reader will imitate the writer’s process whenever the
reader is curious about proposed legislation. Perhaps, after reading through the text yourself, you will disagree with the contention of this blog that CISPA is likely to cause a self-censorship amongst Internet users. Or perhaps you won't. But how will you know if you never read the text for yourself?
With
that said, let’s turn back to CISPA. In the last blog, the
discussion mentioned cyber threat intelligence and cyber threat information
very briefly, but without going into further detail; this blog will rectify
that deficiency.
I. Cyber Threat Information/Intelligence: A
Recap
First,
CISPA defines cyber threat information and cyber threat intelligence similarly.
Section 1104 (h)(4) defines cyber threat information and section 1104(h)(5) of
CISPA defines cyber threat intelligence. The definitions are as follows:
The term ‘cyber threat
information’ means information directly pertaining to— (whereas cyber
threat intelligence means “intelligence in possession of an element of the
intelligence community directly pertaining to—)
(i) a vulnerability
of a system or network of a government or private entity;
(ii) a threat to
the integrity, confidentiality, or availability of a system or network of a
government or private entity or any information stored on, processed on, or transiting
such a system or network;
(iii) efforts to
deny access to or degrade, disrupt, or destroy a system or network of a
government or private entity; or
(iv) efforts to
gain unauthorized access to a system or network of a government or private
entity, including to gain such unauthorized access for the purpose of
exfiltrating information stored on, processed on, or transiting a system or
network of a government or private entity.
(B) EXCLUSION.—Such term does
not include information pertaining to efforts to gain unauthorized access
to a system or network of a government or private entity that solely involve
violations of consumer terms of service or consumer licensing agreements and do
not otherwise constitute unauthorized access.
Thus,
private companies are only allowed to voluntarily share your information if it
fits the above definition. However, some people are concerned that this
definition could start a modern day McCarthyism. As one blogger put it,
“depending on one’s political leanings, [a group or organization could land on
the government’s watch list]” (Samson, 2012). This should and has raised
concerns amongst librarians. If interpreted in a certain way, the cyber threat
definitions could hinder information sharing on the Internet. For instance, if
one looked at the structure of government as a system, then subversive comments
on Facebook or subversive websites found on Google could constitute a
vulnerability under the cyber threat definitions. Since vulnerability is not
defined in CISPA, it is not quite clear what the drafters have in mind. Thus, with
the potential of being placed on a government watch list, some dissenters might
be afraid to share certain types of information on the Internet due to vague definitional terms.
II. Limitations On Cyber Threat Information
After information is determined to be cyber threat information, CISPA
sets up limitations on cyber threat information. Specifically, CISPA places
limitations on how cyber threat information is shared, on what the government
can do with cyber threat information, and on the sources where cyber threat
information can come from.
A. Limitations On Sharing
Cyber Threat Information
Section
1104(b)(3) states “Cyber threat information shared in accordance
with paragraph (1)
[Editor's Note:
paragraph (1) is a reference to the section about voluntarily sharing cyber
threat information amongst certified entities and the Federal Government]—
(A) shall only be
shared in accordance with any restrictions placed on the sharing of
such information by the protected entity or self-protected entity
authorizing such sharing, including appropriate anonymization or
minimization of such information;
· (Editor's Note: Some
opponents believe this provision will allow companies like Facebook to share
comments with the federal government without redacting any personal information (Cole, 2012)).
comments with the federal government without redacting any personal information (Cole, 2012)).
(B) may not be used
by an entity to gain an unfair competitive advantage to the detriment of
the protected entity or the self-protected entity authorizing the sharing of
information;
(C)
if shared with the Federal Government—
(i)
shall be exempt
from disclosure under section 552 of title 5, United States Code
· (Editor's Note: This is the Freedom
of Information Act [FOIA], which allows
the public to access federal agency records—although there are nine [9]
exemptions that prevent such disclosure. Since cyber threat information deals with
national security issues[see section 1104(b)(3)(C)(v) of CISPA] and FOIA already exempts information dealing with national security concerns [see 5
U.S.C.§ 552(b)(1)], it is likely that some cyber threat information
would have been exempt from disclosure under FOIA without CISPA's exemption. This is exactly a
point the American Library Association [ALA] made. In a letter stating their
disapproval of CISPA, the ALA and other organizations stated:
[CISPA]
unwisely and unnecessarily cuts off all public access to cyber
threat information before the public and Congress have the chance to
understand the types of information that are withheld under the bill. Much
of the sensitive information private companies are likely to share with the
government is already protected from disclosure under the FOIA. Other
information that may be shared could be critical for the public to ensure its
safety. The public needs access to some information to be able to
assess whether the government is adequately combating
cybersecurity threats and, when necessary, to hold officials
accountable (American Association of Law Libraries et al., 2012).
Yet, FOIA is not the only public disclosure law cyber threat
information is exempt from, cyber threat information is also exempt from disclosure under state, local, tribal, or regulation [see section 1104(b)(D)].
So, taken with the voluntary sharing scheme, CISPA's exemptions from public disclosure law creates a situation like Jeremy Bentham's panoptic prison, where the public does not know if they are actually being watched, but behave as though they are being watched--which, in this case, the behavior may result in a redacting of certain types of information on the internet. While such anti-public disclosure provisions may be helpful for national security purposes, they also have the potential to hinder information sharing for fear of Big Brother. Therein lies a great debate between national security and civil liberties).
So, taken with the voluntary sharing scheme, CISPA's exemptions from public disclosure law creates a situation like Jeremy Bentham's panoptic prison, where the public does not know if they are actually being watched, but behave as though they are being watched--which, in this case, the behavior may result in a redacting of certain types of information on the internet. While such anti-public disclosure provisions may be helpful for national security purposes, they also have the potential to hinder information sharing for fear of Big Brother. Therein lies a great debate between national security and civil liberties).
(ii) shall be considered
proprietary information and shall not be disclosed to an entity outside
of the Federal Government except as authorized by the entity sharing
such information;
(iii) shall not
be used by the Federal Government for regulatory purposes;
(vi) shall not
be provided by the department or agency of the Federal Government receiving
such cyber threat information to another department or agency of the Federal
Government under paragraph(2)(A)[Note: this refers to the provision that
allows sharing between federal agencies…more on that in a later blog] if—
(I) the entity
providing such information determines that the provision of such information
will undermine the purpose for which such information is shared; or
(II) unless
otherwise directed by the President, the head of the department or agency of
the Federal Government receiving such cyber threat information determines that
the provision of such information will undermine the purpose for which such
information is shared; and
(v) shall be
handled by the Federal Government consistent with the need to protect
sources and methods and the national security of the United States; and
(D) shall be exempt
from disclosure under a State, local, or tribal law or regulation that requires
public disclosure of information by a public or quasi-public entity.
B. Limitations On How The
Government Can Use This Information
Section 1104(c)(1) of
CISPA states “[t]he Federal Government may use cyber threat
information shared with the Federal Government in accordance with
subsection (b)
[Editor's Note: the subsection
referred to sets up the voluntary sharing of cyber threat information amongst
certifies entities and the federal government]—
(A) for cybersecurity
purposes;
(B) for the investigation
and prosecution of cybersecurity crimes;
(C) for the protection
of individuals from the danger of death or serious bodily harm and
the investigation and prosecution of crimes involving such danger of
death or serious bodily harm;
(D) for the protection
of minors from child pornography, any risk of sexual exploitation, and
serious threats to the physical safety of such minor, including kidnapping and
trafficking and the investigation and prosecution of crimes involving child
pornography, any risk of sexual exploitation, and serious threats to the
physical safety of minors, including kidnapping and trafficking, and any crime
referred to in 2258A(a)(2) of title 18, United States Code; or
(E) to protect national security of the US
CISPA
also requires the government to take “reasonable efforts” to limit the impact
on privacy and civil liberties (see section 1104(c)(5)). Although, if one asks
any lawyer or law student to describe what “reasonable efforts” might mean, one
will soon realize that this does not offer much protection. Again, broad terms create a further disincentive for the public to share information on the Internet.
Furthermore,
on an additional note related to privacy and CISPA, the word “notwithstanding”
used in Section 1401 (b)(1)(A) and section 1401 (b)(1)(B) [the sections that
allow certified entities to voluntarily share information with the federal
government] has raised concerns amongst the public. For instance, the
non-partisan Congressional Review Committee stated that by using the word
“notwithstanding” in any legislation, the drafters intend to “supersede any
conflicting provisions of previous law” (Beth, 2003). This means, as some have
contended, that, aside from being exempt from disclosure laws, CISPA could
trump many privacy laws (McCallugh, 2012). The notwithstanding provisions have
even lead some to claim that CISPA could violate the unreasonable search and
seizure clause (4th Amendment) of the U.S. Constitution. (Please see
the embedded YouTube video).
C. Sources Where The
Government May Not Get Cyber Threat Information
Section
1104 (c) (4) of CISPA states the federal government mat not use cyber threat
information from the following sources:
(A) Library circulation
records.
(B) Library patron lists.
(C) Book sales records.
(D) Book customer lists.
(E) Firearms sales records.
(F) Tax return records.
(G) Educational records.
(H) Medical records.
III. Limitations Placed On Cyber Threat
Intelligence
Under section 1104 (a)(2)(A)(i-ii), CISPA states that only certified entities
or persons with appropriate security clearance may share classified cyber
threat intelligence. Additionally, cyber threat intelligence may only be
shared for national security purposes and may only be used by a
certified entity or persons with appropriate security clearance in a manner
that prevents unauthorized disclosure (see section 1104 (a)(2)(B)-(C)).
A Summation of CISPA Thus Far
So,
as CISPA stands in the Senate right now, the bill would allow private companies
to voluntarily share cyber threat information with the federal government. This
bill would also exempt cyber threat information from many disclosure laws and
from many privacy laws. There is also controversy over what cyber threat
information means.
The
next CISPA blog will discuss more controversial provisions, as well as give the
reader some insight about why others support this bill.
References:
American
Association of Law Libraries et al. (2012) Coalition letter to house
representatives. American Library Association. Retrieved from http://www.openthegovernment.org/sites/default/files/Rogers%20cybersecurity%20letter%202.pdf
Cole,
J. (2012, April 28). Explaining the CISPA cybersecurity bill, the latest threat
to your privacy. Informed comment. Retrieved from http://www.juancole.com/2012/04/explaining-the-cispa-cybersecurity-bill-the-latest-threat-to-your-privacy.html.
Beth,
R. S. (2003, August 4). How bills amend statutes. CRS report for Congress. Retrieved
from http://lugar.senate.gov/services/pdf_crs/senate/procedure/How_Bills_Amend_Statutes.pdf
McCallugh,
D. (2012, April 27). How CISPA would affect you (faq). Cnet news.
Retrieved from http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-would-affect-you-faq/
.
Samson,
T. (2012, April 30). Why CISPA could kill the cloud. (web blog). InfoWorld.
Retrieved from http://www.infoworld.com/t/cloud-computing/why-cispa-could-kill-the-cloud-192014
No comments:
Post a Comment