Cyber Security Legislation Privacy Protections are Substantially Similar

Transcription

1 Cyber Security Legislatin Privacy Prtectins are Substantially Similar By Rb Strayer and David Beardwd The fur mst prminent cyber security legislative prpsals the Obama administratin s legislative text; Cyber Intelligence Sharing and Prtectin Act (CISPA), H.R. 3253, spnsred by Cngressman Mike Rgers; the Cybersecurity Act f 2012, S. 2105, spnsred by Senatrs Lieberman, Cllins, Rckefeller and Feinstein; and the Strengthening and Enhancing Cybersecurity by Using Research, Educatin, Infrmatin and Technlgy Act (SECURE IT Act), S. 3342, spnsred by Senatr McCain and several ther Republican senatrs all apply strict cnditins t cyber security infrmatin sharing and have versight measures t prtect privacy and civil liberties. Each prpsal establishes infrmatin-sharing mechanisms that wuld prtect persnal infrmatin frm misuse and mandates nging versight t ensure respect fr privacy and civil liberties. Caviling ver minr differences with its prpsal, the administratin threatens t vet the Huse-passed CISPA, largely based n its privacy prtectins. 1 There is substantial cmmn grund rather than majr divergence amng these prpsals n hw t prtect privacy and civil liberties, as explained belw. PRIVACY AND CIVIL LIBERTIES PROVISIONS IN CURRENT PROPOSALS The Obama Administratin Prpsal The administratin s prpsal assigns the Department f Hmeland Security with the respnsibility f carrying ut cyber security infrmatin sharing. 2 Private-sectr infrmatin used by the gvernment must be related t cyber threats t federal netwrks r critical infrastructure, persnal infrmatin must be prtected frm unauthrized access r disclsure, and thse using federal netwrks must be ntified that their traffic may be mnitred. 3 Shared infrmatin may als be used fr law enfrcement purpses with the apprval f the attrney general if it is evidence f the past, current r imminent cmmissin f a crime. 4 Private sectr, 5 as well as state and Cyber Security Legislatin Privacy Prtectins are Substantially Similar 1

2 lcal, 6 cperatin with the federal gvernment is prtected frm public disclsure. Finally, versight f these measures wuld be prvided by the chief privacy and civil liberties fficers f DHS and DOJ thrugh annual reprts t Cngress, 7 and separately by the Privacy and Civil Liberties Oversight Bard (PCLOB), which wuld prvide an initial evaluatin t Cngress within tw years f enactment. 8 CISPA The Cyber Intelligence Sharing and Prtectin Act, H.R. 3523, passed the Huse by a bipartisan vte f It wuld allw the directr f natinal intelligence (DNI) t establish intelligence-sharing mechanisms between the intelligence cmmunity and the private sectr. CISPA grants mre cntrl t the private sectr than the ther prpsals in limiting the use f infrmatin prvided t the federal gvernment r ther private sectr entities. It allws cmpanies submitting infrmatin t set additinal annymizatin standards 10 and prhibit sharing f the infrmatin with specific federal agencies. 11 Shared infrmatin is prtected frm public disclsure 12 r use fr unfair trade advantage. 13 Data prvided t the gvernment may nly be used fr cyber security purpses, investigating and prsecuting crimes which culd result r have resulted in death, serius bdily har m, r the explitatin f a minr, and in cases f threats t natinal security. 14 Persnal recrds n library use, bk sales and purchases, firearm sales, tax returns, educatin, and medical histry are als excluded frm use in intelligence sharing. 15 The inspectr general f the intelligence cmmunity prvides versight thrugh annual reprts t Cngress, 16 but the PCLOB is nt required t participate in versight under the bill. 17 The Cybersecurity Act f 2012 The Cybersecurity Act f 2012, S. 2105, authrizes additinal public-private infrmatin sharing with DHS, similar t the Obama administratin s prpsal, and amng private sectr entities. The bill requires that DHS establish guidelines fr sharing cyber security threat and vulnerability infrmatin t prtect privacy and civil liberties, in cnsultatin with the attrney general and DNI. 18 It wuld als establish a full-time privacy fficer t ensure cmpliance with the guidelines. 19 The federal gvernment must als explicitly prtect against the disclsure f persnal infrmatin, and any cyber intelligence shared with the gvernment wuld be prtected frm public disclsure Cyber Security Legislatin Privacy Prtectins are Substantially Similar 2

3 The gvernment may nly use shared infrmatin against cyber threats 22 and t prevent, investigate, r prsecute the past, current, r imminent cmmissin f a crime with the apprval f the attrney general with the attrney general weighing the value f any such law enfrcement actin against the need t prtect persnal infrmatin. 23 Businesses may share cyber intelligence as lng as they fllw these restrictins and d nt use shared infrmatin t gain an unfair trade advantage. 24 Oversight wuld cme frm the chief privacy and civil liberties fficers f DHS and DOJ thrugh annual reprts t Cngress, 25 as well as the PCLOB, which wuld prvide an initial evaluatin t Cngress within tw years f enactment, as in the administratin s prpsal. 26 The inspectr general f each relevant agency wuld als prvide annual evaluatins. 27 The SECURE IT Act The SECURE IT Act, S. 3342, wuld establish cyber intelligence sharing between the private sectr and multiple cyber security centers thrughut the federal gvernment. 28 These centers must fllw standards set by the secretaries f cmmerce and hmeland security t prtect persnal infrmatin and trade infrmatin, 29 and thse prviding infrmatin wuld be prtected frm legal reprisal r public disclsure f shared cntent. 30 Additinal cntrl is prvided t the private sectr, as thse sharing infrmatin must prvide cnsent befre infrmatin may be shared with state, lcal r tribal gvernments fr any reasn. 31 Any shared infrmatin may again nly be used fr cyber security, natinal security, r law enfrcement purpses, althugh this bill is the mst permissive fr law enfrcement use by allwing any federal agency t use infrmatin against any crime cdified in sectin 2516 f title 18 f the U.S. Cde. 32 Oversight is carried ut by the PCLOB and all agency and department heads verseeing cyber security centers wh, tgether, must submit an initial evaluatin t Cngress within ne year f enactment and biennial reprts thereafter. 33 The inspectr general f each relevant agency wuld als prvide annual evaluatins. 34 Additinally, the Cuncil f the Inspectrs General n Integrity and Efficiency is authrized t cnduct versight, thugh n requirements are placed n the frequency f their review. 35 Cyber Security Legislatin Privacy Prtectins are Substantially Similar 3

4 MEASURES IN COMMON TO PROTECT PRIVACY AND CIVIL LIBERTIES All fur prpsals allw a gvernment agency t set enfrceable guidelines fr the sharing f cyber security infrmatin between the private sectr and the gvernment, as fllws: Administratin s Prpsal: The secretary f hmeland security, with review and apprval by the attrney general. 36 CISPA: The directr f natinal intelligence, in cnsultatin with the secretary f hmeland security. 37 Cybersecurity Act: The directr f the Department f Hmeland Security s cyber security center, in cnsultatin with the attrney general, DNI, and the privacy fficer f the DHS center. 38 SECURE IT Act: The secretary f cmmerce, in cnsultatin with the secretary f hmeland security. 39 Persnally identifiable infrmatin (PII) may nt be included in the infrmatin shared, unless it is necessary t include that infrmatin fr security purpses. 40 Each prpsal requires the prtectin f PII whenever it is nt critical fr security purpses. This keeps PII limited t the cmpany entrusted t prtect it, as well as relevant gvernment investigatrs. There are als prvisins in each bill that prevent the disclsure f persnal infrmatin t the public in the critical circumstances when it is shared. CISPA als allws fr prviders t set additinal requirements fr annymizatin. There must be cntinuus versight f cmpliance with privacy and civil liberty measures, as well as evaluatin f their impact. 41 Oversight will help t prevent intentinal r accidental abuse and identify develping needs in regulatins. The Privacy and Civil Liberties Oversight Bard s membership awaits Senate cnfirmatin. Once its members are cnfirmed, the PCLOB will serve as an independent agency t versee activity acrss the gvernment, and each f the fur initiatives, except CISPA, wuld include the Bard in versight, 42 thugh the riginally filed versin f CISPA included the Bard. 43 Cyber Security Legislatin Privacy Prtectins are Substantially Similar 4

5 The three prpsals that include the PCLOB als prescribe ther grups f gvernment fficers t lead dual versight, with the administratin prpsal and the Cybersecurity Act invlving the chief privacy and civil liberties fficers f DHS and DOJ, 44 the SECURE IT Act requiring reprting frm the relevant agency r department heads and chief privacy and civil liberties fficers 45 as well as the Cuncil f the Inspectrs General n Integrity and Efficiency, 46 and bth the Cybersecurity and SECURE IT Acts requiring versight by the inspectr general f each agency using shared infrmatin. 47 CISPA wuld require the inspectr general f the intelligence cmmunity t cnduct multi-agency versight. 48 Infrmatin shared with the federal gvernment may nly be used fr cyber security, fr natinal security purpses, and by law enfrcement t prsecute a crime; and nt regulatry actin. 49 Cyber intelligence prvided t the federal gvernment is prtected frm public disclsure thrugh the Freedm f Infrmatin Act (FOIA) r ther means. 50 This cnditin is necessary fr intelligence sharing, as disclsed exchanges culd reveal vulnerabilities in private security r cause reputatinal harm pssibilities which currently may preclude mre rbust infrmatin sharing. CONCLUSION The fur majr prpsals frm the administratin, Huse, and Senate establish cmmn grund n many privacy prtectins. The bills vary t limited degrees n the mechanism f the sharing, cntrl ver the prcess by the private sectr, and agency respnsibilities, but the cre prvisins n privacy and civil liberties are largely agreed upn. These differences are f the type that typically can be wrked ut thrugh the legislative prcess as bills mve thrugh the cmmittees t flr actin and eventual cnference between the Huse and Senate, and d nt amunt t an issue that shuld pse an insurmuntable bstacle t the enactment f cyber security legislatin. 1 Executive Office f the President, Office f Management and Budget, Statement f Administratin Plicy: H.R Cyber Intelligence Sharing and Prtectin Act. 25 April Cyber Security Legislatin Privacy Prtectins are Substantially Similar 5

6 2 White Huse, Cmprehensive Natinal Cybersecurity Initiative, available at: White Huse, Cybersecurity Authrity and Infrmatin Sharing Act f 2011 (Cybersecurity Authrity Act) 3 Cybersecurity Authrity Act 244(b) 4 244(b)(3) 5 White Huse, Cybersecurity Regulatry Framewrk fr Cvered Critical Infrastructure Act 7(d) 6 Cybersecurity Authrity Act 245(f) 7 248(e) 8 248(f) 9 Final Vte Results fr Rll Call April H.R (RFS) 2 (50 U.S.C. 1104(b)(3)(A)) 11 2 (50 U.S.C. 1104(b)(3)(C)(iv)) 12 2 (50 U.S.C. 1104(b)(3)(D)) 13 2 (50 U.S.C. 1104(b)(3)(B)) 14 2 (50 U.S.C. 1104(c)(1)) 15 2 (50 U.S.C. 1104(c)(4)) 16 2 (50 U.S.C. 1104(e)(1)) 17 H.R (IH) 2 (50 U.S.C. 1104(c)) 18 S (PCS) 243(c)(5) (j) (d-f) (g)(4) (g)(1) (g)(2) (b) (g)(5) (g)(6) (44 U.S.C. 3556(c)) 28 S (5): Cyber security centers that culd cnduct infrmatin sharing include the DOD Cyber Crime Center, U.S. Cyber Cmmand Jint Operatins Center and NSA/CSS Threat Operatins Center, the ODNI Intelligence Cmmunity Incident Respnse Center, the FBI Natinal Cyber Investigative Jint Task Frce, the DHS Natinal Cybersecurity and Cmmunicatins Integratin Center, and any subsequently established federal cyber security center. Available at: (44 U.S.C. 3553(a)(1)) (c)(3-7) (c)(2) (c) (a) (44 U.S.C. 3554(a)(4)) Cybersecurity Authrity Act H.R (50 U.S.C. 1104(b) (Prcedures and Guidelines)) 38 S (c)(5) Cyber Security Legislatin Privacy Prtectins are Substantially Similar 6

7 39 S (44 U.S.C. 3553) 40 Cybersecurity Authrity Act 248(a)(2); H.R (50 U.S.C. 1104(b)(3)(A)); S (c)(1)(E)(i); 702(b)(1); S (d)(1)(C) 41 Cybersecurity Authrity Act 248; H.R (50 U.S.C. 1104(e)); S (g)(4-7); S ; 106; 201 (44 U.S.C (a)(4)) 42 Cybersecurity Authrity Act 248(f); S (g)(6); S H.R (IH) 2 (50 U.S.C. 1104(c)) 44 Cybersecurity Authrity Act 248(e); S (g)(5) 45 S (a) S (44 U.S.C. 3556(c)); S (44 U.S.C. 3554(a)(4)) 48 H.R (RFS) 2 (50 U.S.C. 1104(e)) 49 Cybersecurity Authrity Act 244(b); Cybersecurity fr Critical Infrastructure Act 8(a)(1)(C); H.R (RFS) 2 (50 U.S.C. 1104(c)); S (g)(1-2); S (c)(1) 50 Cybersecurity Authrity Act 245(f); Cybersecurity fr Critical Infrastructure Act 7(d); H.R (50 U.S.C. 1104(b)(3)(D)); S (d); S (c)(3-7) Cyber Security Legislatin Privacy Prtectins are Substantially Similar 7