President Obama recently stated that "the cyber threat to our nation is one of the most serious economic and national security challenges we face." This past fall, then-Secretary of Defense Leon Panetta warned of a "cyber Pearl Harbor," an attack on our nation's critical infrastructure that would "cause physical destruction and the loss of life." Many congressional leaders have also spoken of an urgent need to enact legislation to empower the government and private sector to protect our nation's cyber networks. And even after President Obama issued Executive Order 13636 in February to facilitate improved cybersecurity, the president and Congress have continued to press for legislation to address this issue.
Both the administration and members of Congress have stated that the goal is to provide government and the private sector with robust tools to fight cybersecurity threats while still protecting individuals' civil liberties and privacy rights. But the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, reintroduced in the House of Representatives on February 13, 2013, fails the test.
CISPA would promote public-private cooperation in cybersecurity by allowing the government to provide otherwise potentially restricted information about cyberthreats to private sector companies, and in turn, facilitate private companies sharing information with federal authorities. A carefully-designed information sharing program that strictly limits the information to be shared could be an effective approach to cybersecurity, so long as it includes robust privacy protections. Unfortunately, CISPA lacks such essential safeguards.
Rather, CISPA, in its current form, would allow sensitive personal information to be shared with the federal government, including agencies with a history of domestic spying, which could then potentially use the information for purposes totally unrelated to cybersecurity. CISPA may even allow for private companies, in an effort to combat a perceived cyber threat, to hack into other companies' networks, with blanket immunity for such actions--a dangerously overbroad possibility.
The Constitution Project (TCP) has worked as part of a broad coalition of privacy and civil liberties advocates to ensure that any cybersecurity bill incorporates robust safeguards for privacy and civil liberties. TCP's Liberty and Security Committee's January 2012 report, Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy, analyzes the civil liberties risks posed by cybersecurity information sharing programs and describes a series of recommendations to protect against these threats to constitutional freedoms. Based on this analysis, fundamental changes to CISPA are needed.
First, CISPA would allow private companies to send information directly to the National Security Agency (NSA) or other military agencies. Military and intelligence agencies, such as the NSA or the Department of Defense Cyber Command, can and should provide institutional expertise by sharing information about cybersecurity threats with the private sector. But the information flow from the private sector into the government should be directed to a civilian agency, and programs to protect private civilian cybersecurity networks must be run by civilian agencies, such as the Department of Homeland Security (DHS). Indeed the Obama administration prefers that DHS lead the cybersecurity effort, and DHS has already developed substantial cybersecurity expertise.
Second, CISPA lacks any requirement that private companies endeavor to strip out personally identifiable information unrelated to the cyber threat when sharing information with the federal government. Any cybersecurity legislation should require that private companies make "reasonable efforts" to remove such private information before they send cyber threat information to the government. A "reasonable efforts" requirement is a flexible standard that recognizes that larger, more sophisticated companies have better capabilities for removing personal information than smaller companies.
In addition, CISPA permits the government to use information from private companies for national security purposes completely unrelated to cybersecurity. Although the current version of CISPA includes some important limits on what the government can do with the private information it obtains, the bill fails to prevent the federal government from using the information for broad and undefined national security purposes unrelated to cybersecurity. Strict use limitations would not only protect individuals' private information, but such provisions would also foster information sharing by giving companies confidence that their customers' data will not be used inappropriately.
The government should also be required to establish rules to govern its use of information submitted under the new cybersecurity program to minimize the impact on privacy rights. CISPA simply includes a provision stating that the government "may . . . undertake reasonable efforts to limit the impact on privacy and civil liberties." Rather, the bill should include a requirement that the executive branch develop rules to regulate government use of this information to provide meaningful protections for privacy rights and civil liberties.
Last summer, a bipartisan group of senators introduced a revised version of the Cybersecurity Act of 2012 (S. 3414), the first cybersecurity bill to offer strong civil liberties protections. Although it could still benefit from some further improvements, S. 3414 showed that it is possible to draft a cybersecurity information sharing program that incorporates many of these robust privacy safeguards.
The goal of protecting our nation's networks from cyberattacks is a laudable one, but Congress must also address the threats to Americans' privacy rights and civil liberties. CISPA, lacking critical safeguards for individuals' privacy rights and civil liberties, is not the right shield to guard civilian networks or the American people from the increasing threat of cyberattacks.
This editorial was co-authored with Sharon Bradford Franklin, Senior Policy Counsel at The Constitution Project.