Lawmakers Must Balance Network Security, Civil Liberties in Cybersecurity Bill, Experts Say
Information sharing and protecting civil liberties should be very carefully considered before any cybersecurity legislation is brought to the Senate or House floor, said former government officials and security experts at a briefing on cybersecurity and civil liberties sponsored by The Constitution Project Thursday. There’s an understandable reluctance by the private sector to engage in an information sharing program, said Mary McCarthy, former intelligence programs director at the Central Intelligence Agency. As federal agencies work with the private sector, “all parties should carefully consider the matter of civil liberties,” she told reporters and congressional aides on Capitol Hill.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Cybersecurity should be approached in a way that prevents terrorist attacks but doesn’t sacrifice personal liberties, said Asa Hutchinson, former Arkansas congressman and former undersecretary at the Department of Homeland Security. “I think you have to have that balance in the legislation,” he said. Another important component is metrics, he added: There needs to be ways “to determine whether the program is successful or not."
The Center for Democracy and Technology warned against an information sharing program that could turn into “governmental monitoring through the backdoor.” The pending bills, including a draft from Senate Majority Leader Harry Reid, D-Nev., and bills introduced by Sens. Joe Lieberman, I-Conn., Dianne Feinstein, D-Calif., and Reps. Dan Lungren, R-Calif., and Mike Rogers, R-Mich., “contain a permission to share, notwithstanding any law,” said Gregory Nojeim, director of CDT’s Project on Freedom, Security and Technology. “If you're going to do that, it’s important to narrowly define the information that can be shared -- otherwise it’s game over when it comes to privacy.” He said the draft cybersecurity proposal from the Senate does pretty well at narrowly defining such information. A bill from Rogers, the House Intelligence Committee chairman, HR-3523, has the worst proposal on information sharing, he said.
A procedure limiting the sharing of personally identifiable information (PII) also is needed in legislation, McCarthy said. Data shared by PII should be sanitized and removed before it’s submitted to the government, she said.
The National Security Agency and Department of Defense shouldn’t be in charge of collecting information on U.S. citizens, said Michelle Richardson, legislative counsel at the ACLU. “It’s inappropriate,” she said. While legislation will not likely have a “kill switch” component, there are smaller switches that government can use to order site or server access to be blocked, she said. “Congress should ask what current authorities there are for emergency situations.” Federal agencies should have public and stringent rules to protect privacy, she added. Feinstein’s bill, the Data Breach Notification Act, “includes some of these but lacks direction on what will happen with private-to-private sharing.”