Moving too fast on cybersecurity

Comedian Jimmy Fallon has a popular credit card ad in which he says that everyone, except for that cute baby, wants more cash back.

Everyone wants more cybersecurity, too — probably even that cute baby. But that doesn’t mean that calling something a cybersecurity law will actually improve cybersecurity. We should be very cautious about passing cybersecurity legislation this year.

{mosads}The push for quick legislation is coming from many directions. Deputy National Security Adviser John Brennan, for example, called for swift action in a 
Washington Post op-ed this week. 

The House is negotiating to merge various bills, perhaps for a floor vote the week of April 23. Notably, the House Intelligence Committee passed H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA). The House Homeland Security Committee this week marked up H.R. 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (“Precise”). The Senate will come later, likely led by a bill from Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine).

The case for legislation goes beyond the temptation to vote for an apple-pie issue such as favoring protection against cyberattacks. Proponents also emphasize the growing number and severity of cyberattacks. The number of attacks does continue to climb, but that’s no surprise in a computerized world where each attack is easily automated and copied innumerable times.

Even if we stipulate that we face more and more severe attacks, a separate question is whether the proposed legislation actually improves cybersecurity. One point for dispute is whether — and how — to create cybersecurity rules that apply to the private sector, which operates the vast majority of critical systems. The Senate bills and the Precise Act, especially its subcommittee version, have run into opposition from major industry actors who question whether such rules would achieve their intended goal of responding to fast-changing cybersecurity attacks. Complying with such rules will impede innovation, both in general and for cybersecurity itself.

The other volatile concerns the innocuous-sounding “information sharing” provisions, most notably in 
CISPA. These are the provisions that have prompted the online activist campaign by Avaaz, the Center for Democracy and Technology, the Electronic Frontier Foundation and others. 

As passed in committee, the definitions of “information sharing” and “cyber threats” were so expansive that they appeared to apply to unlicensed downloading of music or any other misappropriation of intellectual property. Hence, a political firestorm might erupt if the online community decides that CISPA is a backdoor way to revive the reviled Stop Online Privacy Act (SOPA) and 
PROTECT IP Act (PIPA). In response, House bill-writers have reportedly tried to narrow the definitions so that CISPA won’t target music and video downloads.

The overly broad definitions, however, still exist. They enable companies to share detailed information about their customers with the government and other companies — without telling their customers, and without a close link to actual cyber threats.

Of even more concern, CISPA would encourage this sharing of personal information “notwithstanding any other provision of law.” That means wiretap laws, medical privacy laws and all other privacy laws will be trumped whenever there is “information sharing” concerning a “cyber threat.” And, once the private information is shared, there are no significant limits on how the recipients reuse or redisclose the information.

These concerns show why Brennan is wrong when he says that industry and government have worked together on physical security and “there is no reason we cannot work together in the same way to protect the cyber systems.” The reason is that a poorly drafted CISPA would override decades of carefully crafted laws about when the government must use a warrant, or have another lawful basis for accessing the personal information of the American people.

In terms of positive measures, first, the Senate should move swiftly to confirm the bipartisan slate of nominees to the Privacy and Civil Liberties Board, which was created by the Congress specifically to oversee government information-sharing programs. Second, if the Congress updates surveillance and information-sharing powers, then it should at the same time consider updates to privacy protections. Sen. Patrick Leahy’s (D-Vt.) proposal to update the Electronic Communication Privacy Act would be an excellent place to start.

In conclusion, the cybersecurity bills before Congress are not likely to significantly improve cybersecurity, might actually undermine it while impeding technological innovation and could pose serious threats to long-established privacy and civil-liberty protections.

We all want more cash back and better cybersecurity. But that doesn’t mean we should like these bills.

Swire worked on technology and other issues in the White House under both Presidents Clinton and Obama, and currently is a professor at Ohio State University and heads a project on government access to personal information for the Future of Privacy Forum.

Tags Patrick Leahy Susan Collins
See all Hill.TV See all Video