Top defense officials have warned that the United States faces the threat of a devastating cyberattack that could lead to fatalities or damage to critical infrastructure. In the case of a cyber emergency, the report recommends that the president should be able to certify to Congress that the threat exists and allow companies to carry out "reasonable countermeasures" to protect against the attack.
The task force also calls for existing laws, including the Electronic Communications Privacy Act (ECPA) and the Wiretap Act, to be amended so they make clear that Internet service providers can monitor communications on their networks for cyber threats if they have consent from a company or consumer. The report recommends that federal law should state "that consent by one party to a communication is sufficient and that such consent overrides contrary state laws."
"The critical point of agreement is that the restrictions in ECPA and other laws should not prohibit monitoring of network traffic and the sharing of information about cyber threats and vulnerabilities that is essential to protecting the nation’s IT networks," the report said.
Current law should also be amended so companies can share information with the government without a subpoena, according to the report. Cybersecurity legislation pending in Congress, including the Cyber Intelligence Sharing and Protection Act, allows companies to do this.
But the task force notes that privacy rights should be respected and Congress should be able to find a middle ground on the various privacy safeguards baked into each bill. The report lists the type of information that should be shared with the government, including malware threat signatures, malicious IP addresses and details about a cyber incident. Companies can also use technology to protect against sensitive personal information being shared, the task force said.
Information sharing "need not, and must not, come at the expense of Americans’ privacy and civil liberties, particularly given the current availability of cost-effective technology to protect such information," according to the report.
Privacy and civil liberties groups have raised concern about the cybersecurity legislation pending in Congress, arguing that the bills would increase the pool of Americans' personal data flowing to the government and military. The ACLU and Center for Democracy and Technology have argued that the bills should include sharper definitions for what type of information the government collects from companies and how it plans to use that data.