I confess I don’t know the answer to this question, but I’m going to pose it anyway. Could companies report non-participation in CISA — or whatever the voluntary cyber information sharing program that will soon roll out is eventually called — in their transparency reports?
I ask in part because there’s great uncertainty about whether tech companies support or oppose the measure. The Business Software Alliance suggested they supported a data sharing bill, until Fight for the Future made a stink, when at least some of them pulled off (while a number of other BSA members, like Adobe, IBM, and Siemens, will surely embrace the bill). A number of companies have opposed CISA, either directly (like Apple) or via the Computer and Communications Industry Association. But even Google, which is a CCIA member, still wants a way to share information even if they express concerns about CISA’s current form. Plus, there some indication that some of the companies claiming to oppose CISA — most notably, Facebook — are secretly lobbying in favor of it.
In the wake of CISA passing, activists are wondering if companies would agree not to participate (because participation is, as Richard Burr reminded over and over, voluntary, even if the key voluntary participants will also be bidding on a $50 billion contract as CISA rolls out). But I’m not sure what that would even mean.
So, first, would companies legally be permitted to claim in their transparency reports that they did not voluntarily participate in CISA? There are a lot of measures that prohibit the involuntary release of information about companies’ voluntary participation in CISA. But nothing in the bill that seems to prohibit the voluntary release of information about companies’ voluntary non-participation.
But even if a company made such a claim — or claimed that they only share cyber indicators with legal process — would it even be meaningful? Consider: Most of the companies that might make such a claim get hacked. Even Apple, the company that has taken the lead on pushing back against the government, has faced a series of attacks and/or vulnerabilities of late, both in its code and its app store. Both any disclosures it made to the Federal government and to its app vendors would be covered by CISA unless Apple deliberately disclosed that information outside the terms of CISA — for example, by deliberately leaving personally identifiable information in any code it shared, which it’s not about to do. Apple will enjoy the protections in CISA whether it asked for them or not. I can think of just two ways to avoid triggering the protections of CISA: either to only report such vulnerabilities as a crime report to FBI (which, because it bypassed the DHS, would not get full protection, and which would be inappropriate for most kinds of vulnerability disclosures), or to publicly disclose everything to the public. And that’s assuming there aren’t more specific disclosures — such as attempts to attack specific iCloud accounts — that would legitimately be intelligence reports. Google tells users if they think state actors are trying to compromise their accounts; is this appropriate to share with the government without process? Moreover, most of the companies that would voluntarily not participate already have people with clearance who can and do receive classified intelligence from the government. Plus, these companies can’t choose not to let their own traffic that transits communications backbone be scanned by the backbone owners.
In other words, I’m not sure how a company can claim not to participate in CISA once it goes into effect unless it doesn’t share any information. And most of the big tech companies are already sharing this information among themselves, they want to continue to do that sharing, and that sharing would get CISA protections.
The problem is, there are a number of kinds of information sharing that will get the permission of CISA, all of which would count as “participating in it.” Anything Apple shared with the government or other companies would get CISA protection. But that’s far different than taking a signature the government shares and scanning all backbone traffic for instances of it, which is what Verizon and AT&T will almost certainly be doing under CISA. That is, there are activities that shouldn’t require legal process, and activities that currently do but will not under CISA. And to get a meaningful sense of whether someone is “participating” in CISA by performing activities that otherwise would require legal process, you’d need a whole lot of details about what they were doing, details that not even criminal defendants will ever get. You’d even need to distinguish activities companies would do on their own accord (Apple’s own scans of its systems for known vulnerabilities) from things that came pursuant to information received from the federal government (a scan on a vulnerability Apple learned about from the government).
We’re never going to get that kind of information from a transparency report, except insofar as companies detail the kinds of things they require legal process for in spite of CISA protection for doing them without legal process. That would not be the same thing as non-participation in CISA — because, again, most of the companies that have raised objections already share information at least with industry partners. But that’s about all we’d get short of really detailed descriptions of any scrubbing that goes on during such information sharing.
When the Business Software Alliance released this letter a while back, I was perplexed.
In addition to its call for Congress to pass a set of designated bills, including ECPA reform, that would give assurances to international customers that US services weren’t more exposed to US spying, the letter also called for passage of cybersecurity sharing legislation.
Cyber Threat Information Sharing Legislation will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.
As TechDirt noted, the letter didn’t name any particular cyber sharing bill, but there are three and all expand US government access to data. Even if some or all tech companies that make up BSA wanted such a bill it seemed odd to include in a call for legislation that would reassure international customers. I asked around and the impression was it was just convenience to include a CISA-type legislation (but why include it at all)?
So then Fight for the Future went to work. It got thousands of activists to complain to the companies directly about their stated support for a CISA-type legislation. And also announced their intention to stop using Heroku, which is part of Salesforce, as their host.
That led first Salesforce then BSA more generally to deny they had ever supported CISA. The BSA language pretended their original letter called for balanced legislation. And it also claimed to consistently advocate for strong privacy protections on such legislation — which of course they didn’t do in the letter.
There have been questions about our views of the current CISA legislation. For clarity, BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act (CISA), the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity and Communications Integration Center (NCCIC) Act.
Consistent with this view, BSA’s September 14 data agenda letter to Congressional leaders identified five key areas where Congress can pass legislation to strengthen the policy environment around digital commerce, including voluntary information sharing, and highlighted the need for balanced legislation in this area.
BSA has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress.
We will continue to work with the Congress, others in industry and the privacy community to advance legislation that effectively deals with cyber threats, while protecting individual privacy.
All of raises more questions about how the endorsement for cyber sharing at a time when all the cyber sharing bills before Congress don’t balance privacy interests got into the letter.
Especially given the signatories. The signatories include companies — like Apple — that have fought hard to protect their customers’ privacy. It included several — notably Adobe and Siemens — that could significantly benefit from any kind of immunity, given that their products are among the most consistent targets of hacks. Most interesting, it includes several companies — including IBM and Symantec — that will benefit when a CISA bill makes it easier for cybersecurity contractors to get more data with which to serve customers.
Indeed, the language from the original bullet support cyber sharing — “enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat” — might well describe how cybersecurity contractors will get a boost from CISA.
Some members of BSA probably do, individually, support CISA for the immunity and data it would give them. Others neither need it nor want the stigma.
So how did it get in this letter?
I’ve become increasingly convinced that DOJ’s head of Criminal Division, Lanny Breuer is the rotting cancer at the heart of a thoroughly discredited DOJ. Which is why I’m not surprised to see this speech he gave at the NYC Bar Association selling the “benefits” of Deferred Prosecution Agreements. (h/t Main Justice) He spends a lot of his speech claiming DPAs result in accountability.
And, over the last decade, DPAs have become a mainstay of white collar criminal law enforcement.
The result has been, unequivocally, far greater accountability for corporate wrongdoing – and a sea change in corporate compliance efforts. Companies now know that avoiding the disaster scenario of an indictment does not mean an escape from accountability. They know that they will be answerable even for conduct that in years past would have resulted in a declination. Companies also realize that if they want to avoid pleading guilty, or to convince us to forego bringing a case altogether, they must prove to us that they are serious about compliance. Our prosecutors are sophisticated. They know the difference between a real compliance program and a make-believe one. They know the difference between actual cooperation with a government investigation and make-believe cooperation. And they know the difference between a rogue employee and a rotten corporation.
One of the reasons why deferred prosecution agreements are such a powerful tool is that, in many ways, a DPA has the same punitive, deterrent, and rehabilitative effect as a guilty plea: when a company enters into a DPA with the government, or an NPA for that matter, it almost always must acknowledge wrongdoing, agree to cooperate with the government’s investigation, pay a fine, agree to improve its compliance program, and agree to face prosecution if it fails to satisfy the terms of the agreement. All of these components of DPAs are critical for accountability.
But the real tell is when he confesses that he “sometimes–though … not always” let corporations off because a CEO or an economist scared him with threats of global markets failing if he held a corporation accountable by indicting it.
To be clear, the decision of whether to indict a corporation, defer prosecution, or decline altogether is not one that I, or anyone in the Criminal Division, take lightly. We are frequently on the receiving end of presentations from defense counsel, CEOs, and economists who argue that the collateral consequences of an indictment would be devastating for their client. In my conference room, over the years, I have heard sober predictions that a company or bank might fail if we indict, that innocent employees could lose their jobs, that entire industries may be affected, and even that global markets will feel the effects. Sometimes – though, let me stress, not always – these presentations are compelling. [my emphasis]
None of this is surprising, of course. It has long been clear that Breuer’s Criminal Division often bows to the scare tactics of Breuer’s once and future client base. (In his speech, he boasts about how well DPAs and NPAs have worked with Morgan Stanley and Barclays, respectively.)
It’s just so embarrassing that he went out in public and made this pathetic attempt to claim it all amounts to accountability.