Cybersecurity Legislation Must Not Violate Americans' Right to Privacy
By Todd Park and Michael Daniel
Thank you for speaking out on the important issue of how cybersecurity affects privacy. The President has been clear that the United States urgently needs to modernize our laws and practices relating to cybersecurity, both for national security and the security of our country's businesses -- but that shouldn't come at the expense of privacy.
The White House issued a veto threat for the Cyber Intelligence Sharing and Protection Act (CISPA) on April 16, because the legislation did not fully address our core concerns (especially the protection of privacy). Even though a bill went on to pass the House of Representatives and includes some important improvements over previous versions, this legislation still doesn't adequately address our fundamental concerns.
But it's not good enough to just stop things: We've got to work together, with legislators on Capitol Hill, technology experts from the private sector, and engaged advocates like you to advance cybersecurity legislation without compromising privacy.
Both the government and private companies -- like individuals -- face the constant threat of cyber crime, espionage, and attacks. If a company discovers that a hacker has broken into its network and is stealing its customers' information (violating their privacy in the process), that company should be able to share what it learns about the intrusion efficiently -- how the hacker got in, what he did while inside, and what he looked for -- with the government and other companies. The government and other businesses would then be able to use this information from the hacker, not his victim, to help prevent future intrusions.
But you might ask, "Isn't this collaboration already happening?" The simple answer is yes, but inefficiently. When it comes to information sharing, we need clearer rules to promote collaboration and protect privacy. Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyberthreats. This ambiguity can lead to harmful delays.
There is broad consensus on the need for more threat-related information sharing -- including among the leading privacy advocates we regularly engage on the issue. The essential question on which people across the spectrum disagree isn't if we can share cybersecurity information and preserve the principles of privacy and liberty that make the United States a free and open society -- but how.
When it comes to information-sharing, there are three key principles we apply to any legislative proposal: Does it (1) sufficiently protect privacy and civil liberties, (2) ensure that a civilian department -- not an intelligence agency -- is the primary point of entry for cybersecurity information sharing, and (3) provide narrowly tailored liability protections that would allow the private sector to respond to threats (without encouraging reckless behavior). Here's a bit more detail about each:
- It's important that any information shared under a new cybersecurity law must be limited to what's relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyber attack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.
- Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn't mean breaking the existing mechanisms that already work. For example, victims of cyber crime ought to continue to report those violations to federal law enforcement agencies and public-private information-sharing relationships that already exist should be preserved.
- Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information.
Moving forward, the Obama Administration will continue to advocate vocally for cybersecurity legislation that applies these principles to protect privacy. It's important to keep in mind that there is a larger legislative process that is ongoing as we speak, including efforts in the Senate. Just like you, we will continue to closely monitor and engage in that process.
But that's not all we're doing. In addition to participating in the legislative process (including a focus on a comprehensive suite of legislation), you should know that President Obama has also taken steps that don't require Congressional action to improve our cybersecurity. He recently signed an Executive Order on "Improving Critical Infrastructure Cybersecurity," which instructs government agencies to share more cybersecurity information with the private sector—and which includes robust privacy and civil liberties protections based upon the Fair Information Practice Principles (FIPPs). That order also kicks off a partnership with industry to create a framework of cybersecurity best practices and standards that industry can implement to better protect themselves.
We face growing threats from bad actors on the Internet, and we need to protect our citizens and empower our critical infrastructure to protect itself. The United States must update our cybersecurity laws, but we will not sacrifice our values in the process.
Thanks again for your participation in We the People and continued interest in this important issue.
Todd Park is Assistant to the President and the United States Chief Technology Officer. Michael Daniel is Special Assistant to the President and the Cybersecurity Coordinator.