- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Here’s a fun party game. The next time you are at a cybersecurity industry event—an evening event with an open bar—find one of the many lawyers in the room and ask them whether the Cybersecurity Information Sharing Act (CISA) would apply to internet service providers (ISPs).
Every time one of them answers with “it depends,” take a shot.
If the lawyers are any good, you’ll be hammered by the time you call for your Uber ride home.
As I wrote about in my last post, for most companies, the problems that CISA is trying to solve don’t exist. Companies share tons of cybersecurity information with each other every day. They also use defensive measures that inspect their Internet traffic for malicious activity and block it. All in a day’s work for your average IT administrator. No one ever gets sued and no laws are being broken.
But for ISPs, it’s not so simple.
Under the Electronic Communications Privacy Act (ECPA), an ISP like AT&T, Verizon, or Comcast is a bit different than say, the Ford Motor Company. While Ford can look at all the traffic crossing its network, AT&T can’t. AT&T is a big dumb pipe that passes on packets no matter what is in them, be it malware, child pornography, or stolen copies of The Interview. The only traffic monitoring AT&T can legally do is what it can justify as necessary to keep those packets zipping along (the so-called “owner operator exception”) or if one of its customers has contracted with it to provide security services, thereby providing consent to be monitored.
CISA, in one view, would allow ISPs to monitor all traffic for cybersecurity threats, operate defensive measures to stop those threats, and share information about these threats with the federal government. That, to Senator Wyden, and others looks a lot like mass Internet surveillance under the guise of a voluntary information sharing bill.
Although CISA contains language in a series of notwithstanding clauses that would seemingly override ECPA, definitional problems create some doubt. The monitoring and defensive measures authorized by CISA can only take place on “information systems.” CISA defines information systems as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” It’s basically the same definition used from U.S law governing federal information systems.
So, does the Internet backbone qualify as an information system under CISA? Is it a discrete set of resources? The words alone are confusing enough. Now place them in context.
Many lawyers, though not all, will conclude that the definition pertains to Ford’s computer network but not AT&T’s Internet backbone. Some lawyers, though not all, will draw a distinction between information systems and “telecommunications systems”.
To make things clear as mud, CISA’s drafters explicitly included one other type of information system in the definition—industrial control systems (ICS). Some lawyers, though not all, will view the fact that the drafters included the ICS definition as evidence that the existing definition was not all inclusive. If ICS need to be explicitly included, so would ISPs.
If the bill goes forward with these definitions, whether CISA applies to ISPs will depend on where their lawyers come down on these definitions, how risk averse their CEOs are, and, ultimately, whether a judge agrees with the ISPs’ lawyers.
With the bill headed to a conference with the House, a simple request to conferees: insert a clause in the definition that explicitly includes or excludes ISPs. It will save years of court battles and the livers of anyone who tries out this drinking game.