Since mid-2011, the Obama administration has been trying to push cybersecurity reforms through Congress to provide investigators with the tools and authority they need to combat quickly evolving threats. But as the proposed legislation has received renewed attention following the State of the Union speech, it has become clear that a number of critics still fear such moves may erode data privacy in the process.
Following President Obama's address to the nation last week, White House cybersecurity coordinator Howard Schmidt looked to capitalize on growing awareness and clarify the motivation driving the bill his team delivered to Congress last May.
"From day one, the president’s charge to all of us in the administration has been to do everything possible to address our critical national and economic security needs. That is why we have tried to aggressively use our existing authorities to address the cybersecurity vulnerabilities of the critical infrastructure systems upon which we as a nation rely for our security and prosperity," Schmidt explained on the White House website. "While there is much the administration can and will continue to do under existing legal authorities to improve our nation’s cybersecurity, only Congress can modernize our underlying laws and give us the full range of tools our cybersecurity professionals need to more effectively deal with this growing and increasingly sophisticated threat."
One of the key components of the new cybersecurity framework would be increased collaboration between public-sector authorities and private-sector businesses. For example, government officials would be more prescriptive in their advice to companies, elaborating on Internet security best practices employed by top agencies and sharing information on the latest trends in identity fraud and intellectual property theft. Federal officials could also be vested with the authority to act on behalf of private-sector companies to prevent and defend against attacks when national interests are at stake.
But while the need to modernize defense strategies is clear to most, some have suggested that the federal government may be overreaching in its quest to ensure national data security.
According to Washington-based news provider the Hill, several defense contractors have already expressed concern that the threshold for Department of Homeland Security (DHS) intervention in their operations may be set too low. Juniper Networks vice president for government affairs Bob Dix suggested that bill's current language would empower the DHS to "seize control" of systems managed by cloud providers and other private firms.
"The provision that establishes covered critical infrastructure presumes to give DHS new authority, that in my mind is overly broad, subject to interpretation and frankly goes beyond the boundaries of the role of government," Dix noted in an interview with the Hill. "I would argue that those of us in the protection business better understand how to manage risk than the government does or ever will."
The relevance of these assertions extends far beyond the defense contractor community, however, and civil liberties groups have already begun dissecting the potential data privacy ramifications of the currently proposed bills.
The Constitution Project (TCP), a bipartisan constitutional watchdog group, has released a new report containing its Liberty and Security Committees recommendations for preserving citizen privacy through government cybersecurity reform. Without the proper safeguards, report authors cautioned, Fourth Amendment rights could potentially fall by the wayside and subject Americans to "the equivalent of a perpetual wiretap" on their online communications.
"Until very recently, expanding the jurisdiction of Einstein and other cybersecurity technologies so deeply into the daily lives of Americans has not been publicly discussed," TCP officials stated. "Yet, now pending in Congress are bills that could permit all network communications with banks, hospitals, airlines and other critical private industries – including personal, private communications accessed or sent across those industry networks – to be shared with the federal government as a matter of course."
To avoid unintended – or potentially unconstitutional – complications in federal data security management, TCP report authors urged lawmakers to include provisions that would sanitize and/or remove personally identifiable information from any data shared between federal agencies and private-sector organizations. The scope of data collection was also cited as a key factor. Civil liberties advocates called for controls that would ensure only information relevant to cybercriminal activity could be gathered and no citizen data could be shared with authorities to prosecute unrelated charges. Finally, the report called for mandatory periodic audits of the new cybersecurity framework with involvement from independent oversight committees.
These recommendations were endorsed by a variety of academic experts, former intelligence community members and technology leaders. Mary McCarthy, a former senior policy planner for the Central Intelligence Agency, and James McPherson, a former general counsel for the Department of Defense Counterintelligence Field Activity, were among the more prominent supporters of the TCP release.
Data Security News from SimplySecurity.com by Trend Micro