President Obama Shows No CISPA-like Invasion of Privacy Needed to Defend Critical Infrastructure
Last night the President signed an executive order (EO) aimed at ramping up the cybersecurity of critical infrastructure. Overwhelmingly, the EO focuses on privacy-neutral coordination between the government and the owners and operators of critical infrastructure (CI)—such as the banking, communication, power, and transportation sectors—which have long been regulated because of their fundamental role in the smooth operation of society. Now that these important entities are all connected to the internet, the administration insists that their cybersecurity be on par with their physical security.
There are two important information sharing advancements in the EO, and this time they are good for privacy. They do not include the many problems of legislation like the Cyber Intelligence and Sharing Protection Act (CISPA) because an executive order by definition cannot take away the privacy protections granted by current statutes. In other words, the EO cannot exempt companies from privacy statutes, or let the government collect new information. It can only act within its existing power to change policies and practices.
Two cheers for cybersecurity programs that can do something besides spy on Americans.
The first information sharing advancement greases the wheels of information from the government to the private sector. Section 4 lights a fire under agencies and directs them to share more information with companies—information they already have and can legally collect under current law. Information flowing in this direction is nowhere as near as problematic as the opposite direction. To the extent that corporate and congressional advocates claim that CISPA is needed for this purpose, the administration beat them to the punch. The EO directs the attorney general, the director of national intelligence and the secretary of homeland security to set up a system to get threat information to critical infrastructure owners and operators. They have four months to pull it together.
The second information sharing provision is a net positive for civil liberties. Section 5 directs the Department of Homeland Security, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Office of Management and Budget to evaluate current interagency information sharing. There is plenty of cyber information floating around the executive branch and across different agencies. There doesn't appear to be any publicly available regulation of how that information is protected for privacy purposes, and it may very well be that it is protected by a mish-mash of originating statutes that treat different types of information with varying protections. By holding the agencies accountable to the Fair Information Practice Principles (FIPPs)—transparency, choice, minimization and more—we may see a government-wide cybersecurity privacy regime evolve. To get it done right, PCLOB will need to be funded and staffed up, and advocacy will be needed to keep the agencies true to the FIPPs, but the President has now declared them the bellwether for cybersecurity information.
Overall, the EO is a win for privacy and civil liberties. It's a good reminder that while some are focused like a laser on turning our internet records over to the National Security Agency, there are a lot of other things that government can do to advance cybersecurity instead. Now it's up to all of us to make sure Congress follows the President's lead.