CDT: Privacy, Transparency Needed in Cybersecurity Policy

U.S. President Barack Obama’s administration and Congress will have to address major civil liberties and transparency concerns as they create new policies to tackle ongoing cybersecurity vulnerabilties in the government and private industry, a digital rights group said.

The White House is scheduled to complete a 60-day review of federal government cybersecurity efforts this week, and questions about civil liberties, privacy and other issues must be addressed, said officials with the Center for Democracy and Technology (CDT), a digital rights group. The Obama administration has so far talked about cybersecurity in broad terms, with the potential for new regulations that have wide-ranging effects, said Leslie Harris, CDT’s president and CEO.

“When the administration talks about cybersecurity, at least in advance of this release, cybersecurity is broadly defined in ways that could sweep virtually any aspect of American life into the mix,” she said Wednesday.

Policy makers need to treat the Internet differently than other critical infrastructure systems, such as the power grid and water control systems, Harris said. Government officials don’t need to worry about free expression when regulating how the power grid should be protected, she noted.

In addition to the 60-day cybersecurity review by U.S. National Security Council adviser Melissa Hathaway, members of Congress have already introduced bills targeted at improving U.S. cybersecurity. Senators Jay Rockefeller, a West Virginia Democrat, and Olympia Snowe, a Maine Republican, introduced a bill April 1 that would allow the president to shut down public and private networks during a cybersecurity emergency and would allow some government regulation of private networks.

CDT also called for the U.S. government to be more transparent in its cybersecurity efforts than in the past and to work harder to share cybersecurity information with the private sector and encourage the private sector to share information with the government. The government needs to provide new incentives for private companies to share information about attacks and vulnerabilities, said Gregory Nojeim, CDT’s senior counsel.

“Transparency builds trust,” he said. “The public needs to know what’s being done to protect their privacy, and also what’s being done to protect their security.”

The CDT urged Obama not to put the U.S. National Security Agency (NSA) in charge of federal cybersecurity efforts, despite some calls for the U.S. Department of Homeland Security (DHS) to lose its authority in the area.

In December, a panel of cybersecurity experts convened by the Center for Strategic and International Studies (CSIS) recommended that DHS be stripped of its cybersecurity leadership role after years of what the panel called ineffective efforts. Leaving cybersecurity efforts at DHS would “doom that function to failure,” the CSIS report said.

While the CSIS panel recommended a cybersecurity czar in the White House, one other approach would be to give the NSA a leadership role, but that would be a mistake, Nojeim said. The NSA has cybersecurity expertise, but its role is to intercept Internet traffic on foreign systems, and CDT is concerned that it would have conflicting incentives for reporting and fixing vulnerabilties, he said.

NSA “wears two hats,” Nojeim said. “One is to break into foreign government systems, to exploit weaknesses. The cybersecurity initiative is about plugging weaknesses and strengthening systems. The systems that need to be strengthened are available internationally.”

DHS cybersecurity efforts can be improved with congressional help, and that agency has authority to protect critical infrastructure, Nojeim said. “It doesn’t solve the problem to complain about it,” he said.