President Obama's 2015 State of the Union address urged Congress to pass legislation to address cyber threats: “If we don’t act, we’ll leave our nation and our economy vulnerable.”
After years of proposed, but ultimately unsuccessful, legislation, the “year of the data breach” and executive pressure have pushed Congress closer to passing federal cybersecurity legislation. Though focused on the balance between information sharing and privacy in order to address national security — a goal that seems to primarily affect consumers, data holders, and the government — these bills have great implications for journalists and their sources.
This year’s predominant cybersecurity bills take three forms: the Senate’s Cybersecurity Information Sharing Act (CISA), the House Intelligence Committee’s Protecting Cyber Networks Act (PCNA), and the House Homeland Security Committee’s National Cybersecurity Protection Advancement Act (NCPAA). Each includes provisions that reduce transparency and accountability, while providing tools to prosecutors to investigate suspected leakers and those who print their stories.
Cybersecurity legislation and transparency
The proposed legislation creates exceptions to public access for information shared under the cybersecurity acts.
CISA calls for a new exemption from the Freedom of Information Act, adding a tenth exemption for “information shared with or provided to the Federal Government pursuant to the Cybersecurity Information Sharing Act of 2015.” This broad exemption would encompass all information covered by the Act, disregarding existing FOIA exemptions and setting a precedent to limit transparency in other security areas.
In a March letter to the Senate Select Committee on Intelligence, a group of 11 organizations, including OpenTheGovernment.org, the American Civil Liberties Union, the Society of Professional Journalists, and the Sunlight Foundation, called this “the most far-reaching substantive broadening of the [FOIA] Act’s exemptions — thus broadly weakening FOIA as a whole — since 1986.”
Since then, the Senate committee produced a report in mid-April wherein Senators Martin Heinrich, D-N.M., and Mazie Hirono, D-Hawaii, recommended the removal of this new, tenth exemption.
The Senators declared: “Government transparency is critical in order for citizens to hold their elected officials and bureaucrats accountable; however, the bill's inclusion of a new FOIA exemption is overbroad and unnecessary as the types of information shared with the government through this bill would already be exempt from unnecessary public release under current FOIA exemptions.” As they state, much of the information that would be shared by the government from the private sector would already be covered under the existing Exemption 4 as confidential commercial information.
Ultimately, skepticism about the necessity of a new FOIA exemption on the part of some senators, combined with the non-existence of such a tenth exemption from the bills passed in the House, make it unlikely that the final bill will retain this broad exemption. However, another FOIA exemption remains in every version.
All three bills call for “cyber threat indicators and defensive measures” to be exempt “without discretion” from FOIA under Section 552(b)(3), as well as state freedom of information statutes, with no time limitations on the exemption from access. Defined broadly, cyber threat indicators include information identifying a method of defeating a security control or exploiting a security vulnerability, as well as information simply identifying vulnerabilities. Critics of the legislation express concern over the mandatory and duplicative nature of this exemption.
A coalition of 34 pro-access groups criticized the discretionless withholding in a letter opposing PCNA, recommending drafters delete the modifier "without discretion." As PCNA already states that the cyber threat information will have been shared voluntarily, the information would be covered by FOIA's existing Exemption 4 for confidential information. PCNA reframes this by codifying a legal presumption against disclosure.
Senate Intelligence Committee Chairman Richard Burr’s office defends these FOIA exemptions as key to promoting more information sharing by reducing risk, a necessary balance to protect private information.
Comparing CISA to a neighborhood watch program, Sen. Burr, R-N.C., has promoted the act and its scrubbing requirements as “a solution that can minimize the threats to your own personal information, keep the economy strong, and help secure the nation.”
Chairman of the U.S. House Committee on Homeland Security Michael McCaul, R-Texas, expressed concern for the under-reporting of cyber attacks and the importance of incentivizing information sharing.
Rep. McCaul supports protections in the bill that encourage the exchange of information in order to overcome companies’ fear that sharing “could put their customers’ privacy at risk, expose sensitive business information, or even violate federal law and the duty they have to their shareholders.”
Information sharing and prosecutions
CISA and PCNA authorize the use of cyber threat information provided to the government for cybersecurity purposes and for “preventing, investigating, disrupting, or prosecuting” violations of the Espionage Act, among other federal crimes.
Gabe Rottman, legislative counsel and policy advisor in the ACLU’s Washington Legislative Office, explained that this provision creates two issues for journalists and their sources. First, the standard for scrubbing personally identifiable information from documents before it goes from the private sector to the government is not very robust. Rottman asserts that the legislation provides broad liability protections that create an incentive to overshare this information.
In addition, the bills authorize investigation of cybersecurity threats. Not only will leakers like Snowden and Manning qualify as such threats, but likely anyone suspected of talking to the press on security issues as well as many security journalists themselves.
Rottman warns of the use of these provisions in “future unauthorized disclosure cases as an investigative tool for prosecutors” – especially when considering the difficulty of the public holding the government accountable in light of the proposed FOIA exemptions. For example, these bills enable investigators in leak cases to circumvent warrant and due process requirements by going to third party communicators to request the voluntary disclosure of information that it deems relates to a cybersecurity threat.
The Sunshine in Government Initiative (SGI) also voiced concerns about classification when faced with a similar provision in CISA’s predecessor.
“CISA as proposed would grant the federal government virtually unlimited authority to thwart newsgathering and the use of confidential sources by removing meaningful judicial oversight and placing the balancing of vital democratic interests in the hands of the executive branch and private industry,” SGI wrote in a June 2014 letter to the Senate Select Committee on Intelligence.
This cybersecurity legislation is just one piece in a larger debate over security, privacy, accountability, and freedom of the press. From the prosecution of Barrett Brown under the Computer Fraud and Abuse Act and the use of targeted DMCA takedown notices against journalists to the monitoring of James Rosen and subpoenaing of James Risen, reporting on important security issues is not without significant risk.
As CISA and PCNA’s critics fear that the enactment of an authorized use provision would encourage prosecution under the Espionage Act and create a chilling effect on newsgathering and reporting, their concerns are reminiscent of Quinn Norton’s farewell to security journalism following Brown's sentencing earlier this year: “I may be incarcerated for doing my job.”