By Sharon Bradford Franklin, Senior Counsel, The Constitution Project
As the Department of Homeland Security has evolved over the past ten years, one of its central functions has become to “safeguard and secure cyberspace.” DHS is the lead agency overseeing cybersecurity for the federal government’s civilian operations. This role fits well with DHS’s overall homeland security responsibilities, and from a civil liberties perspective, DHS is the federal agency best suited to this job.
Unless they incorporate adequate civil liberties safeguards, cybersecurity programs that permit the government to collect private communications from computer networks create risks that Americans will be subject to the equivalent of a perpetual warrantless wiretap of their private communications and web browsing. DHS has demonstrated that it takes these risks seriously, and has involved its Privacy Office in developing and operating cybersecurity programs.
DHS’s two main cybersecurity responsibilities are currently to oversee and operate the EINSTEIN cybersecurity program, which protects civilian federal government computer networks, and to partner with the Defense Department in running the cybersecurity pilot program for Defense Industrial Base (DIB) companies. The DIB pilot program establishes information sharing between the federal government and DIB companies, mostly defense contractors, to protect DOD information on DIB company computer networks. DHS handles its cybersecurity operations through the National Cybersecurity and Communications Integration Center (NCCIC) and the U.S. Computer Emergency Readiness Team (US-CERT), which have developed cybersecurity expertise.
Through these roles, not only has DHS become more proficient in protecting computer networks, but from a civil liberties perspective, the agency has demonstrated that it is capable of mitigating the privacy threats that cybersecurity programs can pose. DHS’s Privacy Office has developed Privacy Impact Assessments (PIAs) for every stage of the EINSTEIN program’s development, as that program has evolved from simply identifying threats to federal civilian computer networks to developing a capability for intrusion prevention. DHS conducted these PIAs because it recognized that the network flow being analyzed may contain personally identifiable information. Similarly, DHS developed a PIA analyzing its role in the DIB pilot cybersecurity program. Significantly, DHS has published unclassified versions of each of these PIA reports on the DHS website. As they demonstrate, DHS has taken steps to minimize the collection and use of personally identifiable information that may be intercepted and reviewed in the course of cybersecurity operations. Although the scope and strength of these safeguards can still be improved, DHS has demonstrated that it is at the forefront of federal agency efforts to incorporate such privacy protections. In addition, DHS tasked its Data Privacy and Integrity Advisory Committee (DPIAC) with drafting a report recommending privacy safeguards that should be incorporated in cybersecurity pilot programs. A Cybersecurity Subcommittee developed such a report, which the DPIAC adopted on November 7, 2012.
The Obama administration and many members of Congress are seeking legislation to create a more expansive public-private information sharing program for cybersecurity. Such legislation would make it easier for the government to share information about cyber threats with private companies, and would enable companies to share cyber threat information with the government without fear of liability. The lead Senate bill, S. 3414, the Cybersecurity Act, which is backed by the Obama administration, would designate DHS as the lead federal agency to manage such an information sharing program. By contrast, the Cyber Intelligence Sharing and Protection Act (CISPA) passed by the House earlier this year would allow the National Security Agency (NSA) and other military agencies to play this role. It is likely that the next Congress will consider legislation creating a cybersecurity information sharing program, and if it moves forward, DHS is certainly the right agency to fill this role. The proposed information sharing program would facilitate private companies sending data from their networks to the federal government. This creates an increased risk that personally identifiable information and the content of private communications will be turned over to federal agencies even if this information is not related to any cybersecurity threat. Anyone who recalls the NSA warrantless wiretapping program should understand that we do not want the NSA or any other military agency handling a cybersecurity program for civilian networks. Rather, any program providing data from private civilian networks to the government should be handled and overseen by a civilian agency, and DHS has demonstrated that it is by far the best candidate.
As DHS begins its next decade, we expect its role in federal cybersecurity programs to grow, and The Constitution Project and other advocacy groups will continue promoting inclusion of robust privacy safeguards in all cybersecurity programs, as outlined in TCP’s reportRecommendations for the Implementation of a Comprehensive and Constitutional Cybersecurity Policy. Meanwhile, we urge DHS to continue to include its Privacy Office in developing and implementing cybersecurity policy and to protect Americans’ rights as well as our cybersecurity, and we call upon Congress and the Administration to support that work.
ACS is co-hosting a panel titled “DHS at 10: The Department of Homeland Security’s Past, Present and Future” with the Open Society Foundation this Wednesday, Nov. 28. Follow the conversation on Twitter with our hashtag #DHSat10.