Coalition letter supporting Leahy-Franken amendment to CISA
We, the undersigned open-government, civil-liberty and privacy groups, write in opposition to the Cybersecurity Information Sharing Act (“CISA”) and to urge passage of the proposed amendments from Sen. Leahy and Sen. Franken. Leahy Amendment No. 2587 would protect the Freedom of Information Act (FOIA) by removing from the bill a new FOIA exemption that is both unnecessary and harmful, and Franken Amendment No. 2612 would take important measures to clarify the definitions of cybersecurity threat and cyber-threat indicator. Both are essential to ensure the bill does not sweep away important privacy protections and civil liberties, increase the difficulty and complexity of information sharing and threaten the integrity of FOIA.
It is of critical concern to our community to protect the Judiciary Committee’s exclusive jurisdiction over FOIA. New exemptions should be enacted only after full and fair consideration by the committee, through proceedings that are open to the public. Allowing the new exemption to be included in the underlying bill sets a dangerous precedent for the future of FOIA. The Leahy Amendment strikes the new “b(3) exemption” from the bill, protecting the integrity of the FOIA framework in the process.
CISA currently contains an overly broad new FOIA exemption that would exempt from disclosure information related to cyber-threat indicators and defensive measures. While we agree that the large majority of the sensitive information likely to be shared under CISA should not be subject to FOIA, this information is already protected from disclosure under existing FOIA exemptions and by other provisions in the bill. Creating new, unnecessarily broad and completely redundant exemptions only weakens the existing FOIA framework and threatens the twin goals of promoting government transparency and accountability. Moreover, the new FOIA language could result in serious unintended consequences, given the overly broad definitions that currently exist in CISA related to cyber-threat indicators and defense measures.
In their current form, the definitions in CISA for “cybersecurity threat” and “cyber-threat indicator” are concerning because they are unnecessarily broad. Technology and civil-liberties groups have highlighted that CISA’s current definition for cybersecurity threat is vague and problematic: it includes some vague categories related to potential harms and “other attributes” that could lead to companies sharing unnecessary or inactionable content or personally identifiable information (PII). Franken Amendment No. 2612 would clarify the definition for cybersecurity threat by establishing that an event or incident constitutes a threat – and triggers CISA’s authorizations – only if it is “reasonably likely to result in” harm. The Open Technology Institute wrote in June that Franken’s amendment would also improve CISA’s operational efficacy and its privacy protections by helping to ensure the information that is shared is actionable threat data, and that it will include less unnecessary content and PII.
Accordingly, we urge you to support Amendments 2612 and 2587 to CISA. Please do not hesitate to contact Patrice McDermott, executive director of OpenTheGovernment.org (202-332-6376 or [email protected]) or Robyn Greene, policy counsel for the Open Technology Institute (202-596-3609 or [email protected]).
American Civil Liberties Union
American-Arab Anti-Discrimination Committee
American Library Association
American Society of News Editors
Association of Alternative Newsmedia
Brennan Center for Justice
Campaign for Accountability
Citizens for Responsibility and Ethics in Washington (CREW)
Council on American-Islamic Relations
New America’s Open Technology Institute
National Coalition for History
National Security Archive
National Security Counselors
PEN American Center
People For the American Way
Project On Government Oversight
Reporters Committee for Freedom of the Press
Restore The Fourth
Society for Professional Journalists
Transactional Records Access Clearinghouse, Syracuse University