Understanding CISA with Lawfare’s Susan Hennessey
Wed at 10AM PT/ 1PM ET on WebmasterRadio.fm
Susan Hennessey is Fellow in National Security in Governance Studies at the Brookings Institution. She is the Managing Editor of the Lawfare blog, which is devoted to sober and serious discussion of “Hard National Security Choices.” She focuses on national security issues surrounding cybersecurity, surveillance, federal terrorism prosecutions, and congressional oversight of the intelligence community.
Prior to joining Brookings, Ms. Hennessey was an attorney in the Office of General Counsel of the National Security Agency. At the NSA, she advised operational elements on matters relating to Information Assurance and Cybersecurity and represented the Agency on cybersecurity legislation and related executive actions.
Hennessey received her J.D. from Harvard Law School and B.A. in Italian from the University of California, Los Angeles.
The Cybersecurity Information Sharing Act passed Congress last year as part of the 2015 budget package signed by President Obama on December 18, 2015. While CISA had support from the business community, including the powerful US Chamber of Commerce and the National Cable & Telecommunications Association, it was opposed by civil liberties groups Twitter, Yelp, Apple and the Computer & Communications Industry Association whose members include Google, Amazon.com, Cloudflare, Netflix, Facebook, Red Hat, and Yahoo! Edward Snowden said a vote for CISA was a vote against the internet.
Susan Hennessey has addressed the arguments against CISA in a series of columns in Lawfare. She argues:
CISA comes at a cybersecurity crisis point. The principal solutions to the crisis all require that private industry do more to protect the personal data in its possession and and under its control. In evaluating CISA and other proposed measures, privacy advocates focus largely on governmental access to and use of information. And yes, CISA authorizes important voluntary information sharing and the government’s role in that sharing certainly merits attention. But the singular focus—and the attendant reflexive suspicions—on this aspect of the bill warps the real privacy interests at stake by failing to acknowledge that security is a necessary element of privacy. Once criminals have your personal information, it is no longer private. And if privacy is the ultimate goal, the first step it to keep data safe.
The Problems CISA Solves: ECPA Reform in Disguise
Hennessey explains that “CISA is clearly aimed at eliminating the concerns and uncertainty created by ECPA and state laws about information sharing. However, it does so only to a limited set of monitorings—those which are conducted ‘for cybersecurity purposes.'”
CISA in Context: Privacy Protections and the Portal
Noting opponents of the bill claimed CISA would allow “companies to collect and then funnel citizens’ private information directly into the hands of the most fearsome elements of the federal government,” Hennessey pointed to the fact that the feared Department of Homeland Security information sharing portal has been up and running for months and that “technical parameters of the system function as a kind of uncodified privacy protection.”
CISA in Context: The Voluntary Sharing Model and that “Other” Portal
CISA creates certain incentives for information sharing. Hennessey explains, “CISA is intended to eliminate real and perceived impediments to sharing; in other words, all the reasons private companies might not share. Consequently, private industry has won a great many number of assurances in CISA. Liability protection operates as the strongest incentive to share by removing the clearest legal risks. But beyond baseline liability protection, CISA also cannot be construed by courts to create a common law duty to share information nor any duty to warn or act based on the information received. “
CISA in Context: Government Use and What Really Matters for Civil Liberties
In her final piece, Hennessey explains that”the government use provisions are possibly the most important privacy element of the entire bill and warrant a close look. As with the rest of the bill, the functional constraints of AIS are highly relevant to the analysis but do not necessarily solve all potential problem.”