So-Called Oversight in OmniCISA

I did a working thread of the surveillance portion of the version of CISA in the omnibus funding bill here. The short version: it is worse even than CISA was on most counts, although there are a few changes — such as swapping “person” in all the privacy guidelines to “individual” that will have interesting repercussions for non-biological persons.

As I said in that post, I’m going to do a closer look at the privacy provisions that didn’t get stripped from the bill; the biggest change, though, is to eliminate a broad biennial review by the Privacy and Civil Liberties Oversight Board entirely, replacing it with a very narrow assessment, by the Comptroller (?!) of whether the privacy scrub is working. Along with the prohibition on PCLOB accessing information from covert ops that got pulled in as part of the Intelligence Authorization incorporated into the bill, it’s clear the Omnibus as a whole aims to undercut PCLOB.

So here’s what counts as “oversight” in OmniCISA. Note, the “appropriate Federal agencies” are the agencies that automatically get information under the sharing system:

(A) The Department of Commerce

(B) The Department of Defense

(C) The Department of Energy

(D) The Department of Homeland Security

(E) The Department of Justice

(F) The Department of the Treasury

(G) The Office of the Director of National Intelligence

Report on Implementation

Timing: less than one year after passage

Completed by: heads of appropriate Federal agencies

This is basically a report on whether the information sharing bureaucracy is working to share information effectively. It totally blows off privacy questions and doesn’t require an independent assessment. This report includes:

(A) An evaluation of the effectiveness of real-time information sharing through the capability and process developed under section 105 (c), including any impediments to such real-time sharing.

(B) An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.

(C) The number of cyber threat indicators or defensive measures received through the capability and process developed under section 105(c).

(D) A list of Federal entities that have received cyber threat indicators or defensive measures under this title.

Bienniel Report on Compliance

Timing: At least every two years

Completed by: Inspectors General of appropriate Federal agencies, plus Intelligence Community and Council of Inspectors General on Financial Oversight

This report assesses both the same efficacy questions reviewed within a year and privacy protections. But it swaps out a general requirement that the IGs assess, “The degree to which such information may affect the privacy and civil liberties of specific persons,” with (D)(ii), below, which is tied to whether information is “related to a cybersecurity threat.” Since everything collected would be “related to” (collected because of some technical connection to) a cyberthreat, it basically undercuts the likelihood of a too-broad interpretation of “related to” undercutting privacy.

It includes:

(A) An assessment of the sufficiency of the policies, procedures, and guidelines relating to the sharing of cyber threat indicators within the Federal Government, including those policies, procedures, and guidelines relating to the removal of information not directly related to a cybersecurity threat that is personal information of a specific individual or information that identifies a specific individual.

(B) An assessment of whether cyber threat indicators or defensive measures have been properly classified and an accounting of the number of security clearances authorized by the Federal Government for the purpose of sharing cyber threat indicators or defensive measures with the private sector.

(C) A review of the actions taken by the Federal Government based on cyber threat indicators or defensive measures shared with the Federal Government under this title, including a review of the following:

(i) The appropriateness of subsequent uses and disseminations of cyber threat indicators or defensive measures.

(ii) Whether cyber threat indicators or defensive measures were shared in a timely and adequate manner with appropriate entities, or, if appropriate, were made publicly available.

(D) An assessment of the cyber threat indicators or defensive measures shared with the appropriate Federal entities under this title, including the following:

(i) The number of cyber threat indicators or defensive measures shared through the capability and process developed under section 105(c).

(ii) An assessment of any information not directly related to a cybersecurity threat that is personal information of a specific individual or information  identifying a specific individual and was shared by a non-Federal government entity with the Federal government in contravention of this title, or was shared within the Federal Government in contravention of the guidelines required by this title, including a description of any significant violation of this title.

(iii) The number of times, according to the Attorney General, that information shared under this title was used by a Federal entity to prosecute an offense listed in section 105(d)(5)(A).

(iv) A quantitative and qualitative assessment of the effect of the sharing of cyber threat indicators or defensive measures with the Federal Government on privacy and civil liberties of specific individuals, including the number of notices that were issued with respect to a failure to remove information not directly related to a cybersecurity threat that was personal information of a specific individual or information that identified a specific individual in accordance with the procedures required by section 105(b)(3)(E).

(v) The adequacy of any steps taken by the Federal Government to reduce any adverse effect from activities carried out under this title on the privacy and civil liberties of United States persons.

(E) An assessment of the sharing of cyber threat indicators or defensive measures among Federal entities to identify inappropriate barriers to sharing information.

Independent Report on Removal of Personal Information

Timing: Not later than 3 years after passage

Completed by: Comptroller General

This review will measure “the actions taken by the Federal Government to remove personal information from cyber threat indicators or defensive measures pursuant to this title,” assessing whether the policies and procedures established by the bill are sufficient to address concerns about privacy and civil liberties.

 

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

1 reply
  1. Giles Byles says:

     
    Isn’t “sharing” a lovely word?  But more data sharing means more data breaches will happen.  It’s too predictable.  Seems to me that’s what’s being missed in the discussion of the cynical, stripped-out ex-CISA (!) bill which will soon be the law of the land.  Bad things are sure to come when multiple federal agencies are free to share everything with no real oversight or accountability.
     
    These agencies have shown themselves to be incompetent, hapless & clueless when it comes to keeping data secure in transit or at rest.  (Has something to do with that pesky encryption, which they’re leery of.)  What assurance do we have that they’ll lock down their data any better than they have in the past?
     
    The current approach is, we need more “sharing” & more dragnet surveillance of the citizenry—more useless haystacks to sort through.  But then a “terrorism” happens & we find out the surveillance didn’t do a thing to catch it.  No matter.  We double down & again find ourselves 180 degrees off course from where we need to be headed in terms of intelligence-gathering.  Feinstein & Comey are indefatigable in their exasperating nincompoopery.
     
    Transparency—another lovely word—will come to our government.  But not in an intended or pleasant way.  Over-sharing among multiple agencies will bring it about.  Our new transparency will be the blistering, punishing kind, where everything is laid out in the open by untraceable “hackers.”  The Chiners & the Russkies will be looking over the shoulder of our IC from their front-row cyber-seats.
     
    Which is another reason our dear leaders sneaked that gutted CISA stinker in via an “omnibus” budget bill:  so no one can be held accountable WTSHTF.
     
    Are we “safe” yet?  I’m tired of that word.  The terrorists don’t scare me.  It’s my own wayward, warmongering government I worry about.
     
    Order in an extra carton of popping corn.  The entertainment value of the leak-fest that is just around the corner will be priceless.  & no one will be able to figure out the source of the breaches because they will be coming from inside the Beast—this Gorgon-headed monster that metastasized itself into existence when we weren’t paying attention.

Comments are closed.