IS THE NEW CYBERSECURITY ACT A SURVEILLANCE ACT IN DISGUISE?

In the recent Congressional rush to pass an omnibus spending plan and keep the federal government running for another year, House Majority Leader Paul Ryan quietly inserted a cybersecurity bill. Then the whole package was signed into law.

Congress had been trying for years to pass cybersecurity legislation. They felt increasing pressure to act each time a well-known entity fell prey to a cyber attack. The latest versions of the cyber law drew widespread support from both major political parties, both houses of Congress, the White House, and the Chamber of Commerce. So the birth of the cyber statute seems like a success.

On the other hand, privacy advocates described the last-minute Congressional surprise as a “surveillance bill.” They complain it will let the government spy on Internet users in violation of their privacy rights.

What does the new law say, and how does it affect communication service providers (CSPs)?

Summary of the Cybersecurity Act

The Cybersecurity Act of 2015 (the Act) is a modified version of a longstanding Congressional proposal. The Act essentially: (a) permits CSPs to engage in real-time automated sharing of cyber threat information with the government; and (b) gives them liability protection for the voluntary sharing. Before a CSP shares a “cyber threat indicator” it must filter out any personally identifiable information that is “not directly related to the cybersecurity threat.”

The Act essentially defines “cyber threat indicator” as information necessary to describe or identify malicious patterns of communications.

The goal of the Act is to coordinate better defenses against cyber attacks without causing privacy harm. The central coordinating role is assigned to a component of the Department of Homeland Security called the National Cybersecurity and Communications Integration Center (the “CCIC”). Theoretically, the real-time sharing of threat information will help the CCIC flag malicious cyber activity more quickly and orchestrate more agile countermeasures. The resulting rapid-response system is expected to fortify IT networks of all kinds, including communications systems, banking networks, electricity grids, and government operations.

The Cybersecurity Act Provision on Law Enforcement

When the CCIC receives a cyber threat indicator it may share the information with other government agencies, including law enforcement agencies, for purposes of “reporting known or suspected criminal activity.”

This provision of the Act aims to catch the hackers who perpetrate cyber attacks.

However, privacy experts suspect the law enforcement clause opens a dangerous loophole. Consider this scenario. A criminal hacks a health insurance network. The insurance company discloses all the involved medical records to the CCIC. The CCIC then shares the records with the Drug Enforcement Administration. And the DEA uses the records to arrest a suspected drug dealer unrelated to the cyber attack.

The medical records may arguably be “directly related” to the cyber attack, and the insurance company is not required to engage in any particular degree of filtering to protect the privacy of the records. Therefore the company might conceivably disclose the records to the CCIC and thereby risk infringing the medical privacy of countless insurance customers. At the next stage of the scenario, the DEA may obtain the records without probable cause or other due process.

The above scenario seems unrealistic for two reasons. First, a medical record does not appear to meet the definition of “cyber threat indicator” because it is not information necessary to describe or identify malicious patterns of communications. A medical record may be compromised in a cyber attack but it is not necessary to identify the means of attack.

The second safeguard against a privacy infringement rests on the one-way nature of the information sharing. Under the Act, neither CCIC nor a law enforcement agency may force the insurance company to disclose cyber threat indicators. The government agencies may only view indicators they receive from the company. In fact, the company may remove as much cyber data as it wants from the disclosure.

In the stage of the medical records scenario where CCIC shares the records with the DEA, the Act grants no new powers to law enforcement. Government agencies, including law enforcement agencies, have always been permitted to share communications, records, and other information for purposes of criminal investigations. The Act merely confirms that the interagency sharing rules are not altered by the sharing of cyber threat indicators.

The last issue is whether the DEA may use a cyber threat indicator to arrest a suspected drug dealer with no connection to the cyber attack. Law enforcement agents do not need due process to gather all types of evidence. For example, they do not need a court order to photograph skid marks on a road, listen to a conversation among shoppers in a grocery store, or copy a telephone number from a phone book. They need due process only to gather information protected by privacy laws. Cyber threat indicators are not protected by any U.S. privacy law. In any event, CSPs can rely on the Act’s immunity from liability and let the prosecutor defend the evidence at the suspect’s trial.

Best Practice to Implement the Cybersecurity Act

If a CSP is caught in a cyber attack, it appears extremely unlikely that its disclosure of malicious code to CCIC would further a law enforcement investigation unrelated to the attack. Nevertheless, CSPs should always guard against over-disclosures of private subscriber information.

As a best practice CSPs should carefully filter cyber threat indicators before sharing them with the CCIC. The resulting disclosure should contain nothing more or less than the cyber data needed to combat the attack.