Legislating Security

CHICAGO — A Congressional Research Service report issued in January lists more than 15 individual pieces of cybersecurity-related legislation proposed in the 111th and 110th Congresses.

That doesn’t include a resolution presented this year by Illinois Congressman Daniel Lipinski to promote education of future cybersecurity specialists, the expansion of research and partnerships between universities and government agencies, and a standard setting process for “interconnectivity, identification and communication.”

John Veysey, Lipinski’s senior legislative assistant, said this is a typical number of bills for any given area of interest in Congress.

“But this is not a typical issue,” Veysey said. “If you define cybersecurity in the broadest of terms, it impacts so many things, so many aspects of our country, our economy and of the federal government – everything from defense to libraries and universities.”

That results in a lot of interested committees, people, and stakeholders. While it is challenging to negotiate with all those parties, many of the bills are moving through Congress, including the Cybersecurity Act (SB 773) being proposed by U.S. Sens. Jay Rockefeller, D-W.V., and Olympia Snowe, R-Maine, both of whom are members of the Senate Commerce and Intelligence committees.

They wrote in the Wall Street Journal that this proposed legislation would create a partnership between the government and private companies. The act would also create the position of a national adviser to bring government and private business together on this front and provides for “unprecedented information sharing.”

“From where I sit, the fact that Sen. Rockafeller and Sen. Snowe passed their bill out of committee … that represented a real step forward,” Veysey said. “I think we’re moving forward, and that’s good. … Certainly reflects the need and the long history of working on this issue with not a lot of progress. Many years.”

Cybersecurity research is one of the areas in greatest need of exploration, Veysey said.

“Agencies that are setting research agendas will need to listen to the private sector to hear what their needs are and what their priorities are and we’ll be able to influence that process,” he said.

Agencies like the NSA, National Science Foundation, and NIST are doing research, but they are not looking into the “human dimension aspects of these problems,” such as how people interact with computers and communication devices, and paying attention to psychological and sociological problems, Veysey said.

The government is full of agencies with some connection to technology, security and intelligence, such as the Joint Interagency Cyber Task Force for the Office of the Director of National Intelligence, an ambiguous name I came across in the Congressional Research Service report.

But apparently some of their research isn’t being shared: “It should be noted that some of the apparent gaps discovered [in response to cybersecurity challenges] may actually be addressed by existing classified programs, which cannot be discussed in this unclassified report.”

Among the “common themes of recent cybersecurity initiatives” discussed in the report is “privacy and civil liberties – maintaining privacy and freedom of speech protections on the Internet while devising cybersecurity procedures” as well as “outreach, collaboration and policy formation – working across government and with the private sector to share information on threats and other data, and to develop shared approaches to securing cyberspace.”

Jay Stanley, public education director of ACLU’s Technology and Liberty Program, said the government can help protect the private sector with its cybersecurity issues but the public needs to be conscious of the pitfalls and ensure that they are not allowing the creation of something that will give corporations more power than they should have.

People often willingly give out their personal information but they also do it begrudgingly and without complete awareness of “the extent to which the information they give to one institution is stored, used, traded and combined,” he said.

Over time, it is becoming more apparent how that information is being used.

Orayb Aref Najjar, a journalism professor at Northern Illinois University who specializes in cyber-communities and freedom of the press, said in an email that U.S. companies have a legitimate interest in protecting their trade secrets.

But she would like to know whether the government is approaching companies or if company officials are seeking federal assistance, why these companies don’t have the expertise to secure themselves, and how their technical information is stored.

“I would have to know whether getting the help of the government in this case would allow NSA access to citizen searches,” Najjar wrote. “If the NSA has access to the Google code, would it also have access to our accounts and our searches? Could the NSA keep its hands out of direct access to the searches cookie jar?”

Najjar said surveillance by the government or private contractors is unnecessary.
“If Wall Street can police itself, the cyber world can do that too,” she wrote. “People on social networks may be asked to report suspicious activity.”

Proposed legislation that involves identifying and assessing international and global risks is especially worrisome to Najjar, who is concerned that foreign countries’ anti-terrorism laws will extend beyond the scope of finding criminals.

“My research suggests that the laws were sometimes applied to the non-violent enemies of the regimes in questions, rather than only against ‘terrorists,’” she said in her email. “I see a similar problem developing in which enhanced abilities to control a country’s cyber space would allow the country to crack down on bloggers and dissenters who try to evade its reach. So the intent of this law, safety, is good, but I fear that it would be applied to the wrong thing.”

Stanley with the ACLU says the idea that security comes at the sacrifice of privacy is “overblown.”

“Privacy and security are not in conflict,” he said.

Many of the intrusions on privacy are also bad for security, Stanley said.

In the industrial age, people think of everything in terms of machines; they see everything as an information problem, he said. But searching databases for the metaphorical needle in a haystack is an ineffective way to solve terrorism.

“Terrorist attacks are not stopped that way,” he said.

The best approach to security is doing the legwork, chasing down leads, “good, old fashioned investigation,” he said.


Comments are closed.