WASHINGTON – The Obama administration’s plan to urge businesses to share data with the government to fight cyberthreats could infringe on Americans’ privacy rights, experts warned.
While current cybersecurity proposals by President Barack Obama would safeguard people’s personal information from unnecessary exposure, the vast amount of data that companies and government agencies would be sharing still poses a risk.
“We don’t want the possibility down the road that companies will share information that could later be used for general law enforcement purposes,” Harley Geiger, advocacy director and senior counsel at the Center for Democracy and Technology said on Feb. 19 at a panel hosted by the Center for National Policy and the Christian Science Monitor.
The president has made public-private information sharing a pillar of his cybersecurity agenda after a series of high-profile cyberattacks on companies in 2014 such as the Sony Pictures breach and the Heartbleed bug.
He recently unveiled a proposal urging companies to share cyberthreat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which would then be disseminated to other agencies and privately-run information sharing hubs.
“We will take cyberthreat information such as malware, IP addresses and such threat indicators from victims and companies and add them together to create a big weather map where we can spot the fronts coming,” said Phyllis Schneck, the Department of Homeland Security’s chief cybersecurity official in a speech before the Feb. 19 panel.
The proposal also protects consumer privacy, said Schneck. As a condition for receiving liability protection from the government for sharing information with them, companies must strip unnecessary personal information and protect the personal data that must be shared.
However, experts at the panel remained wary of the proposal, which Geiger said would give the government much power. “The way it’s structured now – with the companies getting liability protection only after they share information with the government forces an almost government-centric sharing regime,” he said.
While acknowledging the privacy protections the administration has proposed as a positive step, Geiger also said that years down the road, the large amount of data could be used for general law enforcement purposes, amounting to what he called a “giant wiretap.”
“I would like to see more protection over the information being shared because it is very lucrative,” said John Pescatore, the director the SANS Institute, a cybersecurity training company and another panelist.
Andrew Borene, federal chief strategist for IBM’s security, intelligence and big data analytics team said obtaining large quantities of data is necessary for countering cyberespionage and breaches. “We’re trying to find the needle in the haystack, but to do so, we need the whole haystack,” he said.
In addition to the information sharing plan, the president also announced earlier this year that he will pursue a federal data breach law, which would notify consumers if their data has been compromised within a certain time period after the breach. To beef up the workforce, his administration will also provide $25 million in grants over the next five years to a cybersecurity education.
The government also should create incentives for the business community to invest in cybersecurity, added Pescatore. He noted that that Target, a $72 billion retailer, lost about $200 million last year when hackers stole credit and debit card of 40 million consumers.
“In the end, it all comes down to business decisions,” he said.
