The revised Cybersecurity Act sponsored by Lieberman and Collins needs work. It's provisions expand the government's ability to conduct network surveillance and interfere with the egalitarian flow of cybersecurity information. The proposal should be amended to further narrow and clarify the circumstances under which otherwise illegal wiretapping and surveillance is allowed, to narrow the definition of "countermeasures" to only defensive actions that shield one's own machines, and to encourage declassification and publication of cyberthreat information.
I give a great shout out to the people who worked on improving the privacy and civil liberties protections in this bill. The ACLU has explained them well.
However, the provisions where the Bill increases surveillance authority remain worrisome. To follow along with me, you can look at my annotated copy of the Bill, here.
One increase is encoded on page 55, (in §3353). That provision allows the Secretary of Commerce to order even real-time monitoring of agency networks for cyberthreats even if those threats would not endanger the rights and property of the agency, so long as the information is only used for cybersecurity purposes or would otherwise be lawful to disclose.
To dig deeper, the language of the Bill allows the Secretary of Commerce, upon making a certification that the surveillance is "reasonably necessary" to protect from a security threat, to intercept or otherwise access and use communications and system traffic "notwithstanding any other law". The Electronic Communications Privacy Act (ECPA) would otherwise prohibit the Secretary from such actions, though the owners of systems are allowed to intercept to protect their rights and property. This provision expands the authorized party from the owner, presumably the head of the Agency that operates the network, to the Secretary, and expands the reasons for allowable intercept to include developing threat, vulnerability and impact assessments, penetration testing and intrusion detection. (See page 52, subsections (b)(3)&(4)). However, the Secretary's certification, and proposed use limitations would ensure that the information obtained may only be collected and retained and used to protect the information system. This data can be used for criminal purposes, but only if not otherwise prohibited by law. I assume that means that if the collection would have violated ECPA were ECPA to appy, then the information may not be used in a criminal prosecution. I also assume that means that if the information is protected from voluntary disclosure to law enforcement by the SCA, that government would still need to get appropriate legal authorization.
A related surveillance authorization is on page 75, which authorizes the Agency heads to allow the Secretary to conduct the surveillance. The surveillance limitations in §3353 are not reiterated here, so its unclear to me how they interact. Can the Agency ask but the Secretary may not agree unless meeting the certification requirements? Or are those surveillance safeguards inapplicable if the request comes from the Agency head? This section should be clarified, at the very least, to bring it into line with the language on page 55.
Another worrisome expansion of surveillance capabilities is on page 168. There, section 701 allows any private entity, notwithstanding FISA or the Communications Act, to monitor its networks for malicious activity, vulnerabilities, and "efforts to cause a user with legitimate access … to unwittingly enable the defeat of a technical control or an operational (human-based) control." Could this provision authorized your ISP or service provider to intercept and read your email purportedly to search for phishing attempts? The reason I'm not sure is that FISA does not prohibit wiretapping, it authorizes wiretapping under a set of foreign intelligence related circumstances. Its ECPA that prohibits interception of communications, and this section does not purport to alter ECPA. The Communications Act prohibits telecommunications carriers from using customer proprietary network information (CPNI) except for provision of service, to protect the carrier's rights and property or other inapplicable situations. It's not clear to me how this kind of call information will generally be relevant to the cybersecurity purposes enumberated in section 701.
The Bill sponsors should identify what existing provisions of ECPA, FISA or the Communications Act they believe interferes with cyberthreat mitigation, and then, if the people agree, our elected representatives in Congress should clarify these provisions so that everyone knows what's allowed and what isn't.
The bill has two different definitions of countermeasure, one on page 47 and one on page 204. The final definitions should (1) be the same, (2) retain the "defensive intent" language and (3) include the requirement that the target system be known or suspected of cybersecurity threat. The bill should also continue to make clear that noone is allowed to use countermeasures that would constitute unauthorized access to another entity's computer system as currently prohibited by 18 USC 1030. (The "notwithstanding" language in the countermeasure sections does not purport to preempt the CFAA).
The Bill continues the practice of exempting certain information from public disclosure under the Freedom of Information Act, (sec 704) but it does give lip service to declassification and sharing of other information on page 202. I hope that in implementing the Act, the Director of National Intelligence and the Secretary of Commerce take this public education mission seriously.
DO WE NEED THIS BILL?
The revised Lieberman/Collins Cybersecurity Act released late yesterday is 211 page comprehensive effort to get government agencies and critical infrastructure operators to take cybersecurity seriously. According to the CSIS Commission on Cybersecurity for the 44th Presidency, the effort is much needed and long overdue. The Bill requires a lot of reportings, studying, and rulemaking to be done later, but it is a step forward for those who see government implementation of state of the art security practices lagging behind.
Its not as clear what the bill portends for private industry. Apparently the Chamber of Commerce was successful in its push to avoid new regulations, as the guidelines in the Act are just that, voluntary guidelines. (See Secs. 103, 104) The CSIS Commission warns in their most recent report, Cybersecurity Two Years Later (2011) that "voluntary efforts will be inadequate against advanced nation-state opponents." And yet, the research has not been done on whether and how security standards improve security practices, although scholars like David Thaw are starting that work. I do not know whether cybersecurity regulation would on the whole be a good thing. Given that uncertainty, I'm glad that the Act is holding off on private entity regulation until further research is performed. In the meanwhile, we do know that sharing cybersecurity information, so that operators and the public can be aware of threats and act accordingly, is essential.