A new report drafted by a think tank group including former heads of the national security agencies recommends loosening privacy laws to allow companies to monitor users for cybersecurity threats.
The goal of the Bipartisan Policy Center’s “Public-Private Information Sharing” report launched on July 19 is to encourage companies to share information with the government about cybersecurity by removing legal liability fears. The report is available for download here. The think-tank’s Cybersecurity Task Force reported that loosening the Wiretap Act, and the Electronic Communictations Privacy Act which amended it, would allow companies to monitor for threats to their networks more effectively.
“Currently cyber information sharing is conducted under an outdated legal framework that frankly was designed for the telephone, rather than packets of data traveling over the Net to various devices,” said Michael Hayden, former director of the Central Intelligence Agency and co-chair of the Bipartisan Policy Center’s Cyber Security Task Force.
More than 50,000 hacks against private and government networks were reported from October 2011 through February 2012, according to the Department of Homeland Security. Companies sometimes do not report data breaches for fear of damaging their reputations or fear of legal reprisal for not going through proper procedure. New legislation would ease a corporate culture unhappy with this status quo, said Bryan Cunningham, former deputy legal advisor to the national security advisor.
“Businesses have a real problem with the lack of certainty and the many, many different standards that they have to comply with,” Powell said. “Even if the standard became more restrictive, I think most businesses would say a clear standard is better than the mess that we have now.”
Monitoring of a network is permitted under the Wiretap Act and the ECPA if an Internet service provider (ISP) is tracking its own network, not the end user, if the provider has reasonable cause to suspect its property rights are being violated and can link such activity to a device. During any permitted data interception the ISP cannot act as the law enforcement’s agent and any monitoring must be narrowly focused. The report states:
“Relevant statutes should be amended to clarify that consent from an individual or company is sufficient for such monitoring, which can include consent by an information technology service on behalf of its users.”
If ISPs had clearer authority to monitor networks then Web companies could protect their users with real-time intelligence about hacks and malware, argued Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security.
“I think there is a business there, I would pay for that,” Baker said. “We’ve all gotten to the point where trying to protect ourselves is a daunting prospect.”
The Wiretap Act and ECPA allows authority for 12 state laws to require consent by both parties involved in any data inspection before the inspection can take place, which the report states “gives cyber attackers a veto on whether their packets are inspected for malicious content.” A total of 46 states and the District of Columbia have data breach notification laws in place to protect consumer rights and privacy.
In an effort to streamline threat information sharing Hayden called for a national law for data breach notification. The Obama administration proposed such a law as part of a May 2011 cybersecurity report, which is available for download here.
“Congress should also provide a safe harbor for companies when there is no actual risk for consumers having their data misused,” Hayden said, referring to a component of the Obama administration proposal.
Subpoena requirements for cyber threat information sharing is another bit of red tape the report states should be cut in the name of security. The report suggests keeping the civil liberties and privacy intentions of existing laws without recommending how to narrowly edit along those lines. The report states:
“With the right privacy and civil liberties protections in place, there is no valid reason for cyber threat information not to be shared with the federal government, and a subpoena requirement can often thwart information sharing to identify and stop cyber attacks underway.”
Along with removing limits on cybersecurity the report recommends making information sharing on digital threats a two-way street. As an incentive to share cybersecurity threat information with the government companies would in receive in return information relevant to the hacks, the report states.
Less sensitive government cybersecurity information should also be regularly disclosed, Hayden said, adding that a more open process would be improved by requiring more personnel to have security clearances in critical infrastructure industries such as emergency services, energy, IT, banking, health care and communications.
Another recommendation by the report would clarify the president’s ability to declare a cybersecurity emergency and call on Congress to take action to protect against an attack. Baker alluded to controversies about executive power over the Internet in a national security emergency, such as the possibility of an “Internet kill switch,” also held by ousted Egyptian President Hosni Mubarak. Discussions about the president’s power in a cybersecurity emergency are better to have now that after an attack, Baker said.
“It doesn’t advance civil liberties to say ‘Mr. President you have a choice between wringing your hands on the sidelines and declaring martial law,’” Baker said.
These recommendations come at a time when a key component of cybersecurity bills currently before Congress is whether to require companies to share information with government agencies about digital threats. After pressure from advocacy groups such as the Center for Democracy and Technology and other members of Congress, a revised Cybersecurity Act of 2012 was released on Sunday by its co-sponsors Sen. Joe Lieberman (I-Conn.) and Sen. Susan Collins (R-Maine). Several privacy advocates such as the American Civil Liberties Union supported the amendments as an improvement, but the ACLU and the CDT reminded Internet freedom activists to remain vigilant on privacy concerns ahead of a Senate vote.
While Congress debates different versions of the bills the Cybersecurity Task Force is convinced its recommendations balance privacy and security concerns. However international human rights groups argue that repressive countries that conduct widespread censorship or surveillance online often defend their actions by stating their actions conform with the policies of other democratic countries.
Hayden also pointed out that cybersecurity threats are used as an argument by developing nations to change existing Internet governance models so they can assume more control of their nations’ networks, which could threaten Internet freedom by instituting new restrictions on use in those nations.
“If we fail at our task, this argument gets some more traction,” he said.