By Jennifer Granick, Civil Liberties Director, Electronic Frontier Foundation
National commitment to cybersecurity is welcome, but government control of the internet is not. This morning's White House-issued cybersecurity proposals seem to recognize this distinction and are therefore vastly preferable to the Rockefeller-Snowe Cybersecurity Act introduced into Congress last month.
Today, President Obama announced that he would create a White House-level position of "cyber czar" to coordinate and oversee federal efforts to improve network security and response to cyber attacks. At the same time, the White House released a cybersecurity report giving more specific proposals for how the federal government can improve the security of our national networks. Together, the proposals credit the importance of protecting both the network and civil liberties, though the devil will be in the details.
Neither government nor private sector computers are nearly secure enough. But whether a network is secure depends on multiple factors including the value of the information traveling over that system, the evolution of the state of the art in computer programming and the commitment and resources of an attacker. Thus, "cybersecurity" is an ongoing process of research, investment and risk-management, not an attainable final state of impenetrability.
The government must secure our critical infrastructure networks, and can play a leadership role for the private sector. Both goals require wonky management more than dramatic gestures. As security expert Bruce Schneier has pointed out, the causes of government cyber-insecurity are rather mundane.
GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs.
The White House cyber czar, the President says, would set budget priorities, establish measurable security goals and coordinate responses to cyber attacks. Efforts like these that aim to ensure and incentivize better security hygiene across the board, while sharing information and metrics with private network operators, aren't glamorous, but are the kind of measures that improve network security. The report also states commitment to civil liberties, including by designating a privacy and civil liberties officer in the agency devoted to cybersecurity. If this commitment is real, today's White House proposal is a welcome place to start addressing the problem of cyber-insecurity.
Contrast this with the Rockefeller-Snowe bill introduced in April, which includes exaggerated proposals that do little to address the root causes of network vulnerabilities and much to undermine private rights and civil liberties. The bill purports to give the Commerce Department absolute, non-emergency access to "all relevant data" without any privacy safeguards like standards or judicial review. The broad scope of this provision could eviscerate statutory protections for private information, such as the Electronic Communications Privacy Act, the Privacy Protection Act or financial privacy regulations.
Another proposed provision of that bill would give the President unfettered authority to shut down Internet traffic in an emergency and disconnect critical infrastructure systems on national security grounds. This would create a major shift of power away from users and companies to the federal government, without any guidance on when or how the President could responsibly pull the kill switch on privately owned and operated networks.
Notably, the White House report specifically rejects the idea of government access to information regardless of existing law or the Constitution and talks about government leadership, but not government take-over of private networks. The Rockefeller-Snowe bill is an example of the kind of rhetoric that doesn't address the real problems of security and can actually make matters worse by weakening existing privacy safeguards. Our starting point for this discussion should be the White House proposal, which focuses on simpler, practical measures that could create real security by encouraging better computer hygiene for both public and private networks.