Last Thursday, Senators Lieberman, Collins, Rockefeller, Feinstein, and Carper introduced a new version of the Cybersecurity Act of 2012 (S. 3414), designed to protect America's computer networks from hackers and other cyber attacks. In his op-ed in Friday's Wall Street Journal, President Obama calls for immediate passage of this cybersecurity legislation, while noting that "our approach protects the privacy and civil liberties of the American people," and that he will "veto any bill that lacks strong privacy and civil-liberties protections."
The Constitution Project (TCP) has worked as part of a broad coalition of privacy and civil liberties advocates to ensure that any cybersecurity bill incorporates robust safeguards for privacy and civil liberties. This new cybersecurity bill is the first one that may actually be able to carry out the promise of providing meaningful privacy and civil liberties safeguards.
Like all of the lead cybersecurity bills being considered in Congress, this bill would authorize information sharing between government agencies and private companies, including internet service providers like Yahoo and Google. In addition to permitting the government to share information on cyber threats with private companies, such programs would allow private companies to turn over private information, potentially including sensitive personal and financial information, to government agencies. While a carefully crafted information sharing program with robust safeguards for privacy rights may be a helpful approach to cybersecurity, before now all of the bills introduced in Congress were seriously deficient in providing these civil liberties safeguards.
The new Cybersecurity Act, S. 3414, is a revised version of S. 2105. The changes to the bill's information sharing provisions are substantial, and address many of the privacy and civil liberties threats posed by such cybersecurity information sharing programs. The sponsors of the new legislation, and the group of Senators -- headed by Senators Franken and Durbin -- who worked to secure these changes to the information sharing provisions, should all be applauded for these efforts.
TCP's Liberty and Security Committee's January 2012 report, Recommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy, analyzes the civil liberties risks posed by cybersecurity information sharing programs, and describes a series of recommendations to protect against these threats to constitutional freedoms. Among the various changes to the Cybersecurity Act's information sharing provisions are several that would address key priorities for TCP.
First and foremost, the bill now includes tight restrictions to avoid creating a new sweeping government surveillance program -- in effect, backdoor wiretapping. Under some proposals, once the data were in the government's hands, they could be used for almost any purpose, including being turned over to law enforcement officers or the IRS. Revised provisions in the new legislation include strict limits to ensure that information collected by the government may be used for only cybersecurity purposes, including prosecution of cybersecurity crimes, or to protect individuals from imminent threats of death or serious bodily harm and to protect children from sexual exploitation and serious threats to their physical safety. It may not be used for national security purposes or criminal prosecutions unrelated to cybersecurity.
Relatedly, the bill's language has been tightened to narrow the scope of information that may even be shared with the government. The information that private companies may share is now limited to that which is "reasonably necessary to describe" a cybersecurity threat indicator, so that companies cannot send massive quantities of private information unrelated to demonstrating a cyber threat. The earlier version of the bill had already included a critical requirement that private companies make "reasonable efforts" to remove unrelated personal information that can identify a specific individual before sharing data with the government.
In addition, the new version ensures that information flowing into the government from the private sector under this program will go directly to civilian agencies and not the NSA or other military agencies. This new bill requires that all government cybersecurity "exchanges" -- the entities that receive and distribute information related to cybersecurity -- will be civilian agencies. A program to safeguard private civilian networks should be run by civilian agencies, not the military or intelligence agencies.
Another important change is to strengthen the bill's oversight requirements. The new bill will now require annual audits to review compliance by the independent Inspectors General at four agencies. In order to promote greater transparency and accountability, it also requires submission of an unclassified version of these reports to Congress. Finally, the bill now requires that the government put privacy rules into place before the information sharing program can become operational.
From a privacy and civil liberties perspective, the Senate bill is now far superior to the cybersecurity bill passed by the House this spring, the Cyber Intelligence Sharing and Protection Act (CISPA). Although CISPA also requires annual Inspector General audits, it fails to provide any of the other critical safeguards outlined above.
TCP welcomes the inclusion of these privacy protective measures in the Senate bill, but the push to ensure safeguards for Americans' civil liberties is far from over. We urge Senators to support these changes and to resist efforts to water them down. Cybersecurity legislation can protect both our cyber networks and our individual rights.
This editorial was co-authored with Sharon Bradford Franklin, Senior Policy Counsel at The Constitution Project.