WASHINGTON– As lawmakers on Capitol Hill are pushing legislation to protect U.S. national security from cyber threats, they’re getting serious pushback from critics who argue the proposals violate the right to privacy, making cybersecurity one of the leading issues for civil liberties activists today.
“The last decade was about the Patriot Act,” Michelle Richardson, legislative counsel with the American Civil Liberties Union. “This is probably the next big civil liberties threat.”
Central to the debate has been the Cyber Intelligence Sharing and Protection Act. The act was passed by the House in April and could be taken up by the Senate before the August recess. It would allow for private companies to share consumer information with the government to prevent cyber threats.
“With strong provisions built in to keep individual American’s private information private, the bill allows U.S. businesses to better protect their own networks and their corporate customers from hackers looking to steal intellectual property,” according to a statement from Rep. Mike Rodgers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, who sponsored the act with Rep. Dutch Ruppersberger, D-Md.
But, civil liberties groups argue the bill doesn’t do enough to protect Americans’ privacy. “CISPA creates an exception to all privacy laws to permit companies to share our information with each other and the government in the name of cybersecurity,” wrote a coalition of civil liberties groups to the House in April prior to the bill’s passage.
According to a recent United Technologies/National Journal Congressional Connection Poll, “63 percent said that government should not be allowed to share information because it would hurt privacy and civil liberties.”
But, Paul Rosenzweig, former deputy assistant secretary for policy in the Department of Homeland Security, argues that most Americans would actually support increased cybersecurity measures.
The House amended CISPA prior to passing it in April. With these amendments, “the privacy people won a large fraction of the battle,” Rosenzweig said.
The legislation now has more limitations on the purposes for which the information could be shared. In addition, the act now states that people can be sued for the misuse of the information, he said. “I thought CISPA was significantly weakened to answer a lot of privacy and civil liberties concerns.”
Civil liberties groups disagree, arguing that some of the fundamental issues of CISPA were not addressed by the amendments, such as the fact that companies still don’t have to make an effort to strip out sensitive information, Richardson said. The bill also still allows personal information to go directly to the Department of Defense and National Security Agency, she said.
Sensitive personal information “should never be siphoned directly to the military,” she. “It’s so fundamental and core to what our country believes in.”
The chances the Senate actually takes up the bill before recess is slim, Rosenzweig said. In the midst of campaigns and a looming appropriations bill that needs to be settled, a cybersecurity act will likely not find its way on the agenda.
Two other pieces of legislation sit in the Senate that address combating against cyber threats. The Cybersecurity Act of 2012 and Secure IT Act would similarly allow for greater sharing of information between companies and the government.
Even if CISPA is picked up and passed in the Senate, President Barack Obama has indicated that he would move to veto the legislation. In April, the administration released a statement arguing that the act does not have enough limitations to protect American’s right to privacy.
“The sharing of information must be conducted in a manner that preserves American’s privacy and recognizes the civilian nature of cyberspace,” according to the statement. “Cybersecurity and privacy are not mutually exclusive.”
The question then becomes: How can the government balance fighting against national security cyber threats with protecting the fundamental right to privacy?
“We would say they don’t have to be at odds,” Richardson said. “There are ways to do [cybersecurity] with protections built in to minimize the amount of sensitive information and to make sure that they can’t just turn around and use it for all sorts of things,” she said.
The right to privacy and cyber security can both be achieved, but it has to be done right, said Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council.
The problem right now is that the United States is getting neither, Healey said. “We are certainly not secure and we can’t get control of our information in way that can secure our privacy.”
Healey argues the lawmakers have made it more difficult on themselves to pass cybersecurity legislation by the American people. The Stop Online Piracy Act introduced in 2011, which would allow for law enforcement to prevent access to websites displaying unauthorized copyrighted material, received a great deal of criticism from civil liberties groups that argued it was censorship and violated freedom of speech.
“If the security stuff would have come first, the security stuff maybe would have come out and people would have seen the good ideas in it and been more open minded,” he said. But because the lawmakers introduced the anti-piracy laws first, distrust has built up, making it more difficult for the government to make their case with this CISPA and other pieces of cybersecurity legislation, he said.
There are things the government can do to fight cyber threats in a way that does not damage privacy, such as research and development and ensuring that the supply chain of hardware put into U.S. computers is secured, Richardson said. “Those are the types of things that are privacy neutral and that the government can pursue if they want a proactive cyber security agenda,” she said.
The White House also indicated that other actions should be taken in the cybersecurity realm that can be considered privacy neutral. “Information sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation’s core critical infrastructure from cyber threats,” according to the statement from the White House.
Healey argues that if we look at the cyber realm like an environment, it may help us to move away from the cybersecurity versus privacy debate. Like other environments, the cybersecurity environment can be polluted and when it is, it becomes harmful for everyone else.
While it may have been more socially acceptable to pollute the environment a few decades ago, that has changed dramatically. “We changed the norm, to one where it is not okay to do those kinds of things,” he said. Today, “a lot of us choose things that are not in our short term interest to be more environmentally friendly.”