Are Privacy Concerns for New U.S. Cyber Security Bill Warranted?

In early December, the House Intelligence Committee’s leaders – Mike Rogers (R-Mich.), and C.A. “Dutch” Ruppersberger (D-Mary.) – proposed a new cyber security bill that would enable U.S. intelligence agencies “[t]o provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cyber security entities, and for other purposes.”

The White House and NGOs concerned with privacy have vigorously reprimanded this bill for the power that it gives government and the absolution of liability for the telecommunication companies that would “share” their customers’ data. When one examines the facts of this situation, it’s clear that a bill that creates an effective Public-Private Partnership (PPP) is needed to respond to the increasing national security threats emanating from cyberspace. Privacy needs to be afforded a reasoned level of protection, hence the best way forward is to have a final bill forged with both of these concerns in mind.

The bill – Cyber Intelligence Sharing and Protection Act of 2011 – has now cleared the House Intelligence Committee with a strong margin of support from its members. The bill grants a platform for sharing “cyber threat information” through a new quasi-government organization called the National Information Sharing Organization (NISO) – which would require the FBI, and departments of Defense, Energy and Homeland Security to participate – while letting private actors to join voluntarily. In regards to privacy, the bill has provisions protecting privacy of citizens. Greg Nojeim of the ACLU and Center for Democracy and Technology said that this bill should stipulate that information gathered for cyber security functions can be used only for cyber security functions.

Nojeim offers the most coherent arguments about the problems with this bill as it stands – which can be summed up in following points: First, the “cyber threat information” to be shared isn’t specifically limited to “cyber security” purposes as it allows for data related to routine business operations to be shared. Second, the bill could take away civilian control of U.S. cyber security policies as it permits broad expansion of governmental control – especially for the policymakers in the DoD. Third, the bill overlooks other means of strengthening U.S. cyber security as a review of existing agencies (i.e. ISAC and US-CERT), and policies are needed to see if a retool can meet the security needs called by current threats.

Conversely, the national security threats manifesting from the murky domain of cyberspace have become increasingly dangerous in recent years, which merits a more competent response from both the public and private sectors.

Considering the purported threats from nation-state actors – like China and Russia – hackers of the underworld and of the “hacktivist” persuasion, there is a pressing need to have a united and cohesive national response by the public and private sectors.

The House Intelligence Committee has shown a willingness to address the concerns over privacy as the current draft passed by the Committee incorporated the following amendments. First, “[p]rivate sector data-sharing must be voluntary and the government cannot force companies to give up data or condition the receipt of government data on private sector sharing of information.” Second, “[t]he intelligence community inspector general must submit to Congress an annual review of how the government used the private sector data, including impact on privacy.”

The problem, now, is that Nojeim still finds the bill to be overly strong and ambiguous in its provisions for privacy. Nojeim was given an opportunity to state those reasons in his testimony to the House Committee on Homeland Security. The concern remains focused on the three points pointed out after the introduction of the Bill with emphasis on the third point.

Compromise is clearly needed to meet the two priorities involved to resolve the policy and moral dilemma posed by the Cyber Intelligence Sharing and Protection Act of 2011. Civilian oversight needs to be added into the proposed “cyber intelligence” sharing activities under this bill. At the same time, the bill should not be watered down to cater to privacy concerns as there is a strong need for a strong PPP in the U.S. owing to the mounting dangers from cyberspace.

Photo Credit: Ssoosay