In separate hearings Tuesday in the Senate Select Committee on Intelligence and the Armed Services Committee, leaders of the intelligence community called cyberattacks the greatest threat to the U.S. at this time—but admitted that the kinds of catastrophic attacks imagined by reporters and cyber experts were only a "remote" possibility in the near future.
Testifying before the Senate Intelligence Committee, Director of National Intelligence James Clapper issued a dire warning that cyber is the nation's leading threat—but then conceded that there is only a "remote chance of a major cyberattack against US critical infrastructure systems during the next two years." Meanwhile, the director of the National Security Agency (NSA)and of the Defense Department's Cyber Command, Gen. Keith Alexander, joined Clapper in warning about the urgency of the threat in his testimony before the Armed Services Committee, but did say that none of the attacks so far constitute acts of war. Rather, they've only been corporate espionage or theft of international property, which are squarely within the criminal realm and not military defense.
This Wednesday, speaking before the House Homeland Security Committee at a hearing focused directly on the issue of DHS's role in cybersecurity, my colleague Michelle Richardson said it best:
Overwhelmingly, the cybersecurity programs that affect everyday Americans are about everyday cybercrime, insecure networks, things like that. And those do not merit a military response. They should be handled by civilian agencies.
The good news is that Alexander was clear that he believed the Department of Homeland Security (DHS) is the "lead for domestic cyber-security." We are relieved to hear him reaffirm this, considering that CISPA, the House's legislative vehicle, could give that honor to the NSA. As Richardson said, "if domestic cybersecurity programs are ceded to the NSA, the committee, rank and file members of Congress, and the American public will never hear of it again."
At Wednesday's House Homeland Security Committee hearing, representatives from the DHS, the private sector and Richardson testified that the internet is a civilian space, and should remain within the jurisdiction of civilian agencies. Richardson argued that cybersecurity legislation must do three things:
- Establish civilian control over any information sharing program
- Protect privacy by protecting personally identifiable information, and by establishing effective transparency and oversight
- Limit the use and further sharing or retention of information once it has been shared
Anish Bhimani, representing the financial sector, echoed our concerns, and those of his industry, testifying that he doesn't need or want to share Americans' personal information, and that "the most valuable information we could gain…tends to be extremely technical in nature and doesn't necessarily need to include any personal information nor reveal the organization affected."
Our message seemed to resonate with Committee members from both parties:
- On several occasions, Chairman Michael McCaul (R-Texas) noted that DHS is already established as the lead agency to deal with cybersecurity by both the president's Executive Order and by mutual agreement between DHS, the Department of Defense, and the Department of Justice. He argued that it is best positioned for this role because of its "Privacy Office to protect American's privacy and civil liberties."
- Rep. Patrick Meehan (R-Pa.), the Chairman of the Subcommittee on Cybersecurity, said, "I appreciate the points that have been made by Ms. Richardson, as well, and I think we're going to be looking to explore ways in which privacy can be protected."
- The Committee's ranking member, Rep. Bennie Thomspon (D-Mich.) joined in those sentiments, as did Rep. Yvette Clark (D-N.Y.), and urged that CISPA (H.R. 624), the House Intelligence Committee's privacy-busting cybersecurity bill, be referred to their Committee for its consideration.
Passing a cybersecurity bill is a top legislative priority in this Congress. CISPA would allow the private sector to share Americans' private information with a military agency like the NSA. On Wednesday, by reaffirming its jurisdiction over cybersecurity legislation and establishing that cybersecurity information sharing programs must be housed in a civilian agency, the House Homeland Security Committee took a good step toward enhancing both security and privacy.
Last Congress, President Obama threatened to veto CISPA over concerns about privacy and civilian control. We are asking the President to establish that he will veto any bill that fails to protect Americans' privacy and civil liberties. Citizens can sign our petition urging the President to issue a veto threat now against CISPA.
More information about CISPA and other cyber issues is at our cybersecurity webhub.