Edwin Rios – Medill National Security Zone http://nationalsecurityzone.medill.northwestern.edu A resource for covering national security issues Tue, 15 Mar 2016 22:20:28 +0000 en-US hourly 1 Watchdog groups concerned with information-sharing provision of cyber legislation http://nationalsecurityzone.medill.northwestern.edu/blog/2012/03/15/watchdog-groups-concerned-with-information-sharing-provision-of-cyber-legislation/ Thu, 15 Mar 2012 13:39:39 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=10299 Continue reading ]]> WASHINGTON – When Adm. Mike McConnell served as director of the National Security Agency in the early 1990s after the Cold War, he noticed what he described as an unspoken competition between federal agencies over the sharing of critical national security information.

Cybersecurity legislation today revolves around the same competition, he said at a discussion of cyber threats at The George Washington University. He also said that the competing arguments that frame the need for privacy of Americans’ information and regulation to ensure cybersecurityshould be set to rest by  explicitly stating in the proposal that information used for purposes other than cybersecurity is a violation of law.

“The concerns about privacy and regulation that might touch industry,” McConnell said, “are not allowing us to get to the point where we set the legislative framework to harness what’s needed from the government and what’s needed from the private sector to share information at network speed.”

He also said the agency that can see the world at network speed, National Security Agency, should take the lead in assessing cyberthreats.

Last month, Sen. Lieberman, I-Conn., introduced the Cybersecurity Act of 2012 last month, which would delegate regulatory authority over cybersecurity to the Department of Homeland Security department. Sen. John McCain, R-Ariz., and other GOP supporters offered a counter bill that would include the National Security Agency as a cyberthreat protector.

Privacy advocates have criticized parts of cyber legislation for lack of clarity over what information will be shared between government agencies and the private sector and who will collect that information.

“We are concerned that the cybersecurity provisions are going to fall to the NSA, which has had a history of being nontransparent and unaccountable,” said Amie Stepanovich, national security counsel of Electronic Privacy Information Center. “[The intelligence] is going to disappear into this security black hole that nobody will ever get information about.”

President Barack Obama’s administration currently gives the Department of Homeland Security authority to monitor domestic cyberthreats

Any cybersecurity legislation should provide strong partnerships with the private sector to foster innovation in ways to enhance security, Homeland Security Deputy Secretary Mark Whetherford wrote in blog post on the department’s website Tuesday. He also said legislation must “mandate increased and more robust privacy oversight, including penalties for misuse of voluntarily shared information.”

“The troubling side of spending a week with some of the experts in the cybersecurity world,” he wrote, “is that when we compare notes on our views of the threat, we all agree that despite the firewalls and layered defenses, we are not always keeping intruders out.”

The Constitution Project released a report in January that concludes Americans should be concerned about the federal government’s public-private partnership efforts to share information. It included concerns regarding “sensitive personal information of people who work for or communicate with [private sector companies sharing information] could be improperly or inadvertently disclosed.” The advocacy group compared the privacy concerns surrounding sharing to the NSA’s warrantless wiretapping after September 11.

Stepanovich said the NSA, which is part of the Defense Department has not been transparent about its cybersecurity policies and programs because of its broad Freedom of Information Act exemption. She said the ACLU has been in a yearlong legal battle with the agency to define what its boundaries are, saying “they fight tooth and nail just to keep everything about their operations away from the public.”

McConnell put the current state of sharing in an even bleaker perspective: “Unless it is required by law or incentivized [to the private sector] in a particular way, you will not have information sharing.”

The debate goes on

Rep. Mike Rogers, chairman of the House Intelligence Committee, told an audience at the  Heritage Foundation recently that information sharing between the private sector and federal agencies is critical tor prevent a catastrophe from occurring.

He, along with the committee’s senior Democrat, Rep. Dutch Ruppersberger, pushed the Cyber Intelligence and Sharing Protection Act through their committee last year. The 13-page provision would encourage private companies to voluntarily share cyberthreat information with federal agencies. It also would exempt private firms from responsibility for how the government uses their information.

His bill, which has been supported by private companies like IBM and Facebook, is one of several cyber bills moving through the House and Senate.

In addition to the Lieberman and McCain bills, Rep. Dan Lundgren, chairman of the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, pushed a bill that would  create a privately run nonprofit clearinghouse for clearly defined cyber threat information. It also would require personally identifiable information unnecessary to describe a threat not to be shared with the organization.

Michelle Richardson, legislative counsel for the American Civil Liberties Union, told the subcommittee that the ACLU’s concerns were what information is being shared and who gets to receive that information. Richardson stressed lawmakers should clearly state that personally identifiable information should not be shared with the government.

She said information sharing provisions in the Rogers bill would encourage private companies to provide information without oversight.

“All the bills take a different approach [to information sharing],” she said. “The Lundgren bill uses stronger language about taking out personally identifiable information whenever it’s not necessary to respond to a cyber threat. The worst is probably the Rogers bill, because it allows the sharing of all cyber information.”

Richardson said some of the information the group is concerned about includes Internet use history and the content of emails. She expressed concern the NSA’s “horrible track record” for its participation in warrantless wiretapping.

“What the legislation is really about is domestic civilian Internet use of information,” she said. “It is totally inappropriate for the military to be receiving that.”

Greg Nojeim, senior counsel at the Center for Democracy and Technology, said before a House subcommittee in December that the private sector “remains responsible for monitoring and protecting its own networks and that monitoring authority should not be transferred, directly or indirectly, to the government.”

The problem, Stepanovich said, is that many companies are unsure what the state of the law is right now.

As the bills work their way through the system during an election year, privacy groups watch with cautious optimism. The “shortened timeline” and multiplicity of provisions, Richardson said, demonstrates the importance for lawmakers to get it right.

“We would rather have no bill than a bad bill,” Richardson said. “Once they pass a cybersecurity bill, we are stuck with it — from a privacy perspective, anyways.”

]]>
White House attempts to digitize privacy bill of rights http://nationalsecurityzone.medill.northwestern.edu/blog/2012/03/04/white-house-attempts-to-digitize-privacy-bill-of-rights/ Sun, 04 Mar 2012 20:52:21 +0000 http://nationalsecurityzone.medill.northwestern.edu/site/?p=9920 Continue reading ]]> WASHINGTON – As private companies like Google and Facebook expand their offerings of personalized experiences, those conveniences — syncing your address book with your Facebook contacts, providing word suggestions when texting, even gearing specific advertisements during commercials — are often taken for granted.

The Founding Fathers, however, had no way of anticipating the rapid growth of technology. Therefore, technological innovation — and the data gathered from such innovation — has outpaced the law.

Now, the White House is attempting to catch up with the exponential pace of private data collection with last week’s introduction of the “Consumer Privacy Bill of Rights.”

The Obama administration presented the blueprint for legislators and companies to agree on how to protect individual privacy rights and give users more control over how their data is collected, shared, and used. It would also provide users the chance to access and correct their data.

“For businesses to succeed online, consumers must feel secure,” President Barack Obama said in a statement. “By following this blueprint, companies, consumer advocates and policymakers can help protect consumers and ensure the Internet remains a platform for innovation and economic growth.”

It pushes for more transparency from private companies — some of whom use consumer data without consumers’ knowledge to present a more personalized experience or advertisement. Last year, two scientists found that Apple collected and stored 10 months worth of geological data from iPhones, iPads and iPod Touch devices to improve location services.

The initiative calls for browsers to have a “Do Not Track” option in case consumers prefer that their data not be tracked Companies recpresenting sites that host nearly 90 percent of online behavioral advertisements — such as Google, Yahoo!, Microsoft and AOL — have already made their commitment to the technology.

In Google’s public policy blog, Susan Wojcicki, senior vice president of advertising, wrote  that while the agreement would not solve all the privacy issues on the web today, the Obama proposal represents a meaningful step forward in shifting digital privacy controls to users.

Jeff Chester, executive director at the Center for Digital Democracy, told NPR’s Steve Henn that companies like Facebook and Google are worried the European privacy policy, which requires greater consumer control over data, will become the dominant privacy standard.

Sen. Al Franken, D-Minn., wrote in an op-ed on Wired’s Epicenter blog that the United States has a long way to go before modern privacy laws are in line with modern technology. He said he would push his colleagues to do whatever it takes to protect American consumers.

“I believe that consumers have a fundamental right to know what information is being collected about them,” Franken wrote. “I believe that they have a right to decide whether they want to share that information, and with whom they want to share it and when. And I believe that consumers have a right to expect that companies that store their personal information will store it securely.”

As the Internet evolves, Obama said, consumer trust is needed to spurn digital economic growth. The proposal suggests that private companies must provide clearer information into how they use data and how secure that data will be.

The timing is almost perfect; the administration’s proposal aligns with Google’s new streamlined privacy policy, which provides a more transparent look at how Google uses data across all of its 60 services, including Gmail, Google+ or YouTube, to tailor a personalized user experience.

A Daily Telegraph poll showed that 64 percent of people are worried about Google’s new privacy policy and would change their online behavior.

 

]]>