CISPA Unlikely to Threaten Privacy Protections in Cybersecurity Framework, Experts Say

While the Senate is unlikely to take up CISPA, the spirit of that legislation could influence the Senate’s debate on cybersecurity, and pieces of it could emerge in other legislation, said Michelle Richardson, ACLU legislative counsel in the group’s Washington legislative office. If CISPA did become law, it has the potential to undercut existing privacy practices and influence what emerges from the Cybersecurity Framework process, Richardson said. The ACLU is concerned CISPA would grant immunity to companies for actions they take in response to cyberthreats, which could lead to “hackback” -- companies hacking into threatening systems in pursuit of bad actors, Richardson said. “There are pretty substantial concerns about the collateral damage you could cause, even if you were acting in good faith,” she said. “That certainly would undercut the idea that they're trying to create standards.” The ACLU is also concerned CISPA would undercut the framework’s potential to encourage cybersecurity standards to include “privacy by design,” Richardson said. “That goal would be thwarted by passing something that says you don’t have to respect privacy,” she said. Even if CISPA is truly off the table in the Senate, the ACLU plans to continue to push the Senate to keep cybersecurity efforts under civilian control and related privacy issues, Richardson said.

The Center for Democracy and Technology (CDT) has been more focused on the privacy implications of CISPA than it has on the Cybersecurity Framework and other portions of Obama’s order because CISPA poses a “greater threat to privacy than could the framework,” said Greg Nojeim, CDT senior counsel. While the Senate is likely to take up its own cybersecurity legislation rather than CISPA, it’s hard to predict how the Senate bill will compare because a concrete bill has not gone public yet, Nojeim said. CDT’s lobbying and protest efforts on Senate cybersecurity legislation this Congress “will be determined by what’s introduced,” he said. The Senate was unable to invoke cloture on its Cybersecurity Act, S-3414, in the last Congress (WID Nov 16 p1).

The Electronic Privacy Information Center (EPIC) is concerned about the privacy implications of CISPA, but does not believe it would have an impact on privacy protections included in Obama’s cybersecurity order, said Jeramie Scott, EPIC national security fellow. The order focuses on a “two-way street” of information sharing, with the government sharing threat intelligence with critical infrastructure operators just as much as they share information with the government; CISPA focuses only on the private sector sharing information with the government, he said. Even in its amended version, the latest version of CISPA does not contain enough privacy protection, Scott said. While EPIC does not lobby or protest for or against legislation in Congress, it makes a point of noting where protection is lacking, he said.

Since the Cybersecurity Framework is still in the beginning stages of development, it’s difficult to say what the framework’s privacy protections will ultimately look like, Richardson said. There has been some movement on crafting those protections, with NIST holding regular meetings with the ACLU, other privacy groups and the privacy staff at federal agencies, she said. A DHS review of the privacy and civil liberties risks of its own current cybersecurity activities, as well as those of other agencies, won’t be completed until February, Richardson said. While the ACLU did not submit comments to NIST in advance of the Cybersecurity Framework’s development, the group continues to communicate with NIST and the White House in the hope that privacy is “baked in from the get-go,” Richardson said.

EPIC is generally confident about the privacy and civil liberties protections included in Obama’s cybersecurity order, Scott said. EPIC was encouraged that the order directed federal agencies to include privacy and civil liberties protections in their cybersecurity activities based on the Fair Information Practice Principles, as well as the order’s reliance on civilian-led DHS and NIST to lead development of the Cybersecurity Framework, Scott said. “The order is very specific that this process will be run by civilian agencies,” he said. EPIC believes “it’s important that civilian control” of Cybersecurity Framework development be maintained, Scott said. The group had in the past been concerned that the National Security Agency (NSA) was taking on too large of a role in national cybersecurity efforts. While NSA has important expertise in cybersecurity that will be valuable, civilian control of cybersecurity is critical because it is the only way to ensure effective transparency and oversight, Scott said. EPIC told NIST in comments related to the Cybersecurity Framework that “cybersecurity efforts must be in the hands of a civilian agency,” and that NSA should not become the “de facto leader of cybersecurity behind the scenes” (http://1.usa.gov/1815xHR).

The Cybersecurity Framework development is a collaborative process, so EPIC may yet have additional suggestions related to privacy protections as more information about the framework coalesces, Scott said. EPIC is especially interested to know how much the Cybersecurity Framework may be influenced by Einstein, a government cybersecurity program, Scott said. The program monitors all .gov domain traffic to and from civilian federal agencies, according to a DHS privacy impact assessment released earlier this month (http://1.usa.gov/ZMitk2). The soon-to-be-deployed latest version, Einstein 3, could potentially collect personally identifiable information in the process of monitoring for cyberattacks, which EPIC is concerned about, Scott said. DHS said in the privacy report it is mitigating the potential for collection of personally identifiable information by developing a set of indicators that will winnow down the data the Einstein 3 program collects so it is “not overly broad” in its scope. Potential similarities and differences between the Einstein program and the Cybersecurity Framework is “an interesting question we'll keep in mind going forward,” Scott said.

Einstein will have some effect on the framework through the Enhanced Cybersecurity Services (ECS) program, a voluntary DHS-Department of Defense program that shares classified information on cyberthreats with infrastructure companies and service providers that provide security services for critical infrastructure, Richardson said. Obama’s cybersecurity order directs DHS and Defense to expand the program beyond the defense industrial base to include all “critical infrastructure sectors.” Einstein’s “intrusion prevention capabilities” will be utilized in ECS, DHS said in a privacy impact assessment (http://1.usa.gov/14vLoL5). The flow of information in ECS, however, is mostly from the government to the private sector, Richardson said. “What the private sector gives back to the government is not private information, just statistics,” she said.

Obama’s order also mandates “pretty good, but not the best” privacy requirements for companies involved in the ECS, said Mark Jaycox, a policy analyst at the Electronic Frontier Foundation. While ECS does utilize the Einstein program, as of earlier this year it was using the Einstein 2 version, which does not involve content-scanning actions that would raise privacy concerns, he said. Einstein’s presence in the ECS framework would only become an issue if it began utilizing Einstein 3’s content-scanning elements, he said. A DHS spokeswoman declined to comment.