WASHINGTON – When Adm. Mike McConnell served as director of the National Security Agency in the early 1990s after the Cold War, he noticed what he described as an unspoken competition between federal agencies over the sharing of critical national security information.
Cybersecurity legislation today revolves around the same competition, he said at a discussion of cyber threats at The George Washington University. He also said that the competing arguments that frame the need for privacy of Americans’ information and regulation to ensure cybersecurityshould be set to rest by explicitly stating in the proposal that information used for purposes other than cybersecurity is a violation of law.
“The concerns about privacy and regulation that might touch industry,” McConnell said, “are not allowing us to get to the point where we set the legislative framework to harness what’s needed from the government and what’s needed from the private sector to share information at network speed.”
He also said the agency that can see the world at network speed, National Security Agency, should take the lead in assessing cyberthreats.
Last month, Sen. Lieberman, I-Conn., introduced the Cybersecurity Act of 2012 last month, which would delegate regulatory authority over cybersecurity to the Department of Homeland Security department. Sen. John McCain, R-Ariz., and other GOP supporters offered a counter bill that would include the National Security Agency as a cyberthreat protector.
Privacy advocates have criticized parts of cyber legislation for lack of clarity over what information will be shared between government agencies and the private sector and who will collect that information.
“We are concerned that the cybersecurity provisions are going to fall to the NSA, which has had a history of being nontransparent and unaccountable,” said Amie Stepanovich, national security counsel of Electronic Privacy Information Center. “[The intelligence] is going to disappear into this security black hole that nobody will ever get information about.”
President Barack Obama’s administration currently gives the Department of Homeland Security authority to monitor domestic cyberthreats
Any cybersecurity legislation should provide strong partnerships with the private sector to foster innovation in ways to enhance security, Homeland Security Deputy Secretary Mark Whetherford wrote in blog post on the department’s website Tuesday. He also said legislation must “mandate increased and more robust privacy oversight, including penalties for misuse of voluntarily shared information.”
“The troubling side of spending a week with some of the experts in the cybersecurity world,” he wrote, “is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out.”
The Constitution Project released a report in January that concludes Americans should be concerned about the federal government’s public-private partnership efforts to share information. It included concerns regarding “sensitive personal information of people who work for or communicate with [private sector companies sharing information] could be improperly or inadvertently disclosed.” The advocacy group compared the privacy concerns surrounding sharing to the NSA’s warrantless wiretapping after September 11.
Stepanovich said the NSA, which is part of the Defense Department has not been transparent about its cybersecurity policies and programs because of its broad Freedom of Information Act exemption. She said the ACLU has been in a yearlong legal battle with the agency to define what its boundaries are, saying “they fight tooth and nail just to keep everything about their operations away from the public.”
McConnell put the current state of sharing in an even bleaker perspective: “Unless it is required by law or incentivized [to the private sector] in a particular way, you will not have information sharing.”
The debate goes on
Rep. Mike Rogers, chairman of the House Intelligence Committee, told an audience at the Heritage Foundation recently that information sharing between the private sector and federal agencies is critical tor prevent a catastrophe from occurring.
He, along with the committee’s senior Democrat, Rep. Dutch Ruppersberger, pushed the Cyber Intelligence and Sharing Protection Act through their committee last year. The 13-page provision would encourage private companies to voluntarily share cyberthreat information with federal agencies. It also would exempt private firms from responsibility for how the government uses their information.
His bill, which has been supported by private companies like IBM and Facebook, is one of several cyber bills moving through the House and Senate.
In addition to the Lieberman and McCain bills, Rep. Dan Lundgren, chairman of the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, pushed a bill that would create a privately run nonprofit clearinghouse for clearly defined cyber threat information. It also would require personally identifiable information unnecessary to describe a threat not to be shared with the organization.
Michelle Richardson, legislative counsel for the American Civil Liberties Union, told the subcommittee that the ACLU’s concerns were what information is being shared and who gets to receive that information. Richardson stressed lawmakers should clearly state that personally identifiable information should not be shared with the government.
She said information sharing provisions in the Rogers bill would encourage private companies to provide information without oversight.
“All the bills take a different approach [to information sharing],” she said. “The Lundgren bill uses stronger language about taking out personally identifiable information whenever it’s not necessary to respond to a cyber threat. The worst is probably the Rogers bill, because it allows the sharing of all cyber information.”
Richardson said some of the information the group is concerned about includes Internet use history and the content of emails. She expressed concern the NSA’s “horrible track record” for its participation in warrantless wiretapping.
“What the legislation is really about is domestic civilian Internet use of information,” she said. “It is totally inappropriate for the military to be receiving that.”
Greg Nojeim, senior counsel at the Center for Democracy and Technology, said before a House subcommittee in December that the private sector “remains responsible for monitoring and protecting its own networks and that monitoring authority should not be transferred, directly or indirectly, to the government.”
The problem, Stepanovich said, is that many companies are unsure what the state of the law is right now.
As the bills work their way through the system during an election year, privacy groups watch with cautious optimism. The “shortened timeline” and multiplicity of provisions, Richardson said, demonstrates the importance for lawmakers to get it right.
“We would rather have no bill than a bad bill,” Richardson said. “Once they pass a cybersecurity bill, we are stuck with it — from a privacy perspective, anyways.”