In Fight to Secure Cyberspace, Lawmakers Can't Forget Privacy

No matter how dire the threat, any cybersecurity bill must have stringent safeguards that govern how information is shared, how long it can be stored, and who gets to see it.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

As security officials continue to stir the pot with doomsday warnings of apocalyptic cyberattacks, lawmakers must not lose sight of privacy rights as Congress moves ahead with legislation aimed at protecting key private networks.

Heeding the warnings of impending cyber Armageddon, this year both the Senate and the House have vowed to pass sweeping laws aimed at securing critical infrastructure, but like many previous bills governing the internet, they are full of glaring privacy violations.

Currently, the Senate is considering a law that would grant broad powers to the Department of Homeland Security (DHS) to monitor private internet communications in the name of protecting crucial industries like healthcare, energy, and finance from malicious hackers.

The Stuxnet worm, which caused significant physical damage at one of Iran's nuclear facilities, clearly demonstrated the dangers of cyberattacks, but measures to secure critical networks cannot come at the expense of civil liberties.

The bill, originally scheduled to make its way to the Senate floor this week, has been sharply criticized by the Constitution Project, which concluded that under the proposed law ordinary citizens "face the risk of being subjected to the equivalent of a perpetual 'wiretap' on their private communications and web browsing behavior."

More specifically, the bill aims to expand the Comprehensive National Cybersecurity Initiative (CNCI), launched by President George W. Bush in 2008. The CNCI was designed to protect government networks from cyberthreats with the help of "Einstein," an automated program that archives, scans, and analyzes traffic for malicious activity. The system currently stores and automatically monitors all communications between private citizens and federal agencies, but the government has plans to extend the program's reach even further.

Under the Senate's proposal, Einstein's jurisdiction would be expanded to monitor and protect critical private industry networks -- meaning, all online interactions between individuals and transportation companies, health care providers, and banks would be subject to search by the federal government, a clear affront to the Fourth Amendment.

In an effort to assuage concerns, Matthew Chandler, a spokesman for DHS, said the agency "builds strong privacy protections into the core of all cybersecurity programs and initiatives."

Admittedly, DHS' intentions are likely for the best and the expansion of Einstein is aimed at preventing malevolent code from penetrating sensitive networks, but intentions only go so far. Concrete regulations and oversight must be in place to ensure the protection of privacy, and the program as it stands lacks any such safeguards.

According to The Constitution Project, the regulations for Einstein "lack identifiable safeguards to prevent stored, private information from being shared among federal agencies and possibly transferred to law enforcement agencies and used against individuals in unrelated criminal proceedings."

To make matters worse, implementation and testing of the latest iteration of the Einstein system has been conducted with the help of the National Security Agency and AT&T, the two entities involved in the Bush administration's warrantless interception of emails and phone calls.

Despite the dearth of public debate about the legality of the government's use of Einstein and the disconcerting absence of safety measures regulating it, the Senate is moving ahead with dramatically expanding the program to monitor even more personal data. More troublingly, the upcoming cybersecurity bill has received little attention and is only one in a long string of proposed laws that have potentially empowered the government to intercept and review data from private networks.

In recent years, Congress has quietly introduced more than 50 cybersecurity bills. While much of the legislation never made it to the floor, several contained sweeping provisions that allowed the private sector to share vast quantities of personal data with the government with limited oversight.

Moving forward, legislators cannot simply prioritize national security over civil liberties, granting extensive powers to monitor all Internet communication out of fear that a few individuals have pernicious intentions. Privacy is a deeply engrained value in American society as old as the Bill of Rights. As critical as the internet becomes in facilitating communication and the flow of finance, transportation, and energy, officials must not lose sight of the fact that the core of the internet is the embodiment of the beliefs this country were founded upon -- freedom of expression, privacy, and equality.

Lawmakers should heed the valuable lessons learned by the Stop Online Piracy Act (SOPA) protests and maintain transparency, emphasize the rule of law, and prioritize democratic principles, lest they wish for another grassroots movement that temporarily blacks out the internet.

Simply put, if the United States does not staunchly uphold civil liberties on the internet, it has no right to promote freedoms abroad. As the first democratic nation in the modern world and the creators of the internet, the United States has a duty to lead by example. No matter how dire the threat, any cybersecurity bill must have stringent safeguards that govern how information is shared, how long it can be stored, and who gets to see it.

Popular in the Community