DHS – “Privacy Problems with CISA”

Posted by

The Senate is expected to begin debate this week on S.754, the Cybersecurity Information Sharing Act (CISA) and at least one government agency is raising privacy and civil liberties concerns with respect to this legislation. Specifically, the Department of Homeland Security (DHS) is concerned that the desire to share information in real time could prevent it from scrubbing the data to erase personal identifiable information or other private information contained in the data.

The primary purpose of CISA is to encourage the sharing of cyber threat indicators between federal agencies, the private sector and other governmental entities. The hope is to prevent or, at the very least mitigate, the effects of a cyber attack. An important component of this information sharing is “real time collaboration” between all of these entities. At the center of this collaboration is the National Cybersecurity and Communications Integration Center  (NCCIC), which is staffed 24/7/365.  The NCCIC was created as part of the National Cybersecurity Protection Act of 2014 as a hub for sharing information among federal agencies.

The bill has been delayed as a result of privacy concerns with the legislation. On July 31, 2015, DHS, responding to concerns and questions raised by Senator Al Franken (D-MN), confirmed in a letter that this legislation, as currently written, could hinder privacy.

DHS’s concern centers on language in the bill located in Section 5(a)(3)(A)(ii) which requires that cyber threat indicators shared with the Federal Government “are not subject to any delay, modification, or other action that could impede real-time receipt by all of the appropriate Federal entities . . .”.

In short, based on this language in the current bill, data shared in real time will not be “scrubbed” or modified to protect personally identifiable information or other private information before it can be spread to other entities.  The letter notes, “While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language [of CISA] as currently written would complicate efforts to do so.”

DHS notes that “[w]hile the current Cybersecurity Information Sharing Act recognizes the need for policies and procedures governing automatic information sharing, those policies and procedures would not effectively mitigate these issues if the requirement to share ‘not subject to any delay [or] modification’ remains.”

DHS also recommended language “requiring cyber threat information received by DHS to be provided to other federal agencies in ‘as close to real time as practicable’ and ‘in accordance with applicable policies and procedures.’”

Senate leaders are currently working to address these and other concerns by proposing to limit who has access to the information and the length of time they can use it. The White House is endorsing the bill in the Senate and has previously endorsed, with some qualifications, a similar bill passed in the House of Representatives.