Congress is set to act on cybersecurity legislation that has been making its way through committees in both chambers for several years. The House is set to vote on these bills during the week of April 23, dubbed "Cybersecurity Week." The Senate will take action soon after.
A lot of important work has gone into these bills that are intended to strengthen both the government and civilian response to cyber threats. Yet parts of these bills are alarming because, if passed, any information we put online—work, play, personal and sensitive—could be put at risk.
Thoughtful policy can help harden critical infrastructure targets—such as the electric grid, nuclear power plants, and communication networks—against unauthorized intrusions, making the Internet a safer place for all. But if Congress does not step up to make important changes in these bills, we may face an epic loss of our civil liberties.
The signals right now are not good. The House is expected to kick off Cybersecurity week by taking up HR 3523, a bill sponsored by Reps. Mike Rogers (R-Mich.) and C.A. Dutch Ruppersberger (D-Md.).
The House Intelligence Committee approved the bill in a secret session held one day after the bill was introduced and without a single public hearing on the legislation. A bill more sensitive to civil liberties, sponsored by Rep. Dan Lungren (D-Calif.) (HR 3674, or "the Lungren bill") has moved at a more deliberate pace and in open sessions. That bill is slated for full Committee consideration the week of April 16. It will be up to House leadership to reconcile those bills with each other.
For civil libertarians, the most important part of all the cyber bills is buried in the language describing "enhanced information sharing" of cybersecurity threats between private companies and the government. To date, shortcomings in current law and excessive government secrecy have stymied appropriate sharing of carefully defined threat information among industry players and between industry and the government. But in the Rogers bill, information sharing provisions allow for "too much information" sharing, threatening to transform needed reform into a shadow surveillance network.
Here's how. The Rogers bill creates a sweeping "cybersecurity exception" to every single federal and state law, including key privacy laws---the Electronic Communications Privacy Act, the Wiretap Act, the Privacy Act—allowing private companies holding our private communications to share them with each, with the National Security Agency (NSA), and with other intelligence and defense agencies, and all other agencies of the federal government.
Unlike the Lungren bill, Rogers makes no effort to list the specific categories of cyber threat indicators that may be shared, instead offering a very broad, almost unlimited definition of the information that can be shared with government agencies. It allows companies to share any information "pertaining to the protection of" a system or network. Since any digital communication may contain an attack and since ISPs and other communications providers routinely scan all their traffic to protect their networks, this appears to allow all of that traffic to be shared with the government.
Why should companies participate in the "voluntary sharing" the Rogers bill authorizes? The quid pro quo may be irresistible: more useful cybersecurity information from the government and other companies and broad immunity from lawsuits in exchange for sharing. In contrast to the Lungren bill, there are no data restrictions to stumble over and few discernable brakes on the system. When the NSA comes calling with its Easter basket full of goodies, in the form of needed expertise and knowledge of global cyber threats, there will be powerful incentives for industry to return the favor.
And under Rogers, once your personal information is in the hands of the government, all bets are off. It can be used for any national security purpose, including to track patterns of communications to decide whether to seek authorization to wiretap you. In can be used to prosecute you for any crime, provided an intelligence agency also finds at least a significant national security or cyber security purpose for the information. Lungren by contrast limits sharing to cybersecurity purposes including related law enforcement.
While the bill does not specify which agencies ISP's could disclose customer data to, the structure and incentives in the bill raise a very real possibility that the NSA or the DOD's Cybercommand would be the primary recipient. In Washington, D.C., information is power and if the NSA receives the cybersecurity information from the private sector, it may well take the lead role on cybersecurity efforts for the private sector away from civilian control at the Department of Homeland Security.
The NSA has been lobbying for a bigger role in the cybersecurity operations of private networks for some time, including more access to private communications.. While the Administration has so far rightly resisted the demands of the intelligence agency to take command and control of cybersecurity , the Rogers bill leaves the question of which agency will be in control muddled at best, setting the stage for a power struggle sure to happen out of the public eye.
Why would the House of Representatives consider a bill that could put a secret agency that has engaged in years of warrantless wiretapping in the middle of the Internet and give it such power? It is hard to figure.
To be sure, the NSA has important expertise and information to bring to the cybersecurity effort. It has classified cyber attack signatures that could be valuable to the private sector, and it is already sharing its expertise with the DHS. But these benefits are easily secured without such overreach.
The Lungren bill -- at least as it stands now -- hits most of the right notes. It keeps the nation's cybersecurity efforts under DHS control, which maintains civilian control while promoting more transparency and accountability to the public. It plainly and narrowly describes the customer data that can be shared and limits government use to cybersecurity related matters. Lungren also gives companies more confidence that they will know how their customer information is being used and shared than they could possibly have under the Rogers bill.
So why is the House leadership trumpeting the Rogers bill and why are so many companies lining up to support it? For companies, the answer is easy: there is freedom to share information with whatever entity you please, blanket immunity for sharing, blanket immunity for a recipient of shared cybersecurity information who fails to take protective measures even when they are clearly needed, and no regulatory burdens are imposed. For House leadership, the answer seems to be that it is not listening to Internet users. Perhaps it's time for us to speak more loudly.
Here is how to get cybersecurity information sharing legislation back on track: by precisely answering three simple questions with Americans' privacy in mind. What information can be shared? With whom? And for what purposes?
What information can be shared? Congress should narrowly define the specific categories of threat information that can be shared, and the Lungren bill already does this quite well. It permits companies to share only information necessary to describe six specific threat categories, and it requires companies to make reasonable efforts to remove unrelated personal information before sharing.
With whom should information be shared? Congress should ensure that civilian control of cybersecurity is preserved. It should put DHS firmly in control, working with the private sector to help companies exchange information under strict control. If narrowly defined cyber threat information is to flow to the government, it should generally go to DHS. Information about cyber attacks on classified systems maintained by defense contractors could also be shared with the Pentagon.
For what purposes may information be shared and used? A cybersecurity law should only authorize sharing of cybersecurity threat information for cybersecurity purposes, including prosecuting cybersecurity crimes. Without that limitation, info sharing could become a backdoor wiretap. Here the Rogers bill is the biggest risk; it permits information shared for cybersecurity reasons to be used for any national security purpose and to prosecute any crime. A warrant or other legal process is essential if the government wants to use the information for other purposes.
Despite the dire picture painted here, Cybersecurity week need not signal open season on civil liberties and privacy. House leadership has a choice between the seriously flawed Rogers bill and the more measured Lungren bill.
Once again we are being told that we have to trade liberty for security; and once again, it's just not true. The House leadership just needs to make the right choice.
Leslie Harris is the president and CEO of the Center for Democracy & Technology