You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Cybersecurity Privacy Practical Implications

Concerning Privacy and Cybersecurity Policy

Introduction

Cybersecurity encompasses an array of challenges to protect digital information and the systems they depend upon to affect communication. The interconnected world of computers forms the Internet, which offers new challenges for nations because regional or national borders do not control the flow of information as it is currently managed. The Internet, in the most basic sense, works like any other remote addressing system, for example, a telephone number corresponds to a particular device, a home or building address corresponds to a particular geographic location. The Internet's addressing system is called the Internet Protocol (IP).

Each computer network and computing device designed to communicate over the Internet must have a unique address to send or receive messages. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the task of managing these addresses so that each unique Internet device (computer, cell phone, personal digital device) has a unique IP number designation. This Internet addressing system translates these numbers into World Wide Web addresses best known by the extensions .com, .edu, .net, and .org. This addressing system makes it very easy for people to find the people and Web addresses they are seeking. IP registration information or WHOIS data on Internet address holders is a source of contention between privacy/free speech/human rights advocates and law enforcement and commercial and government interests.

Latest News

Privacy

What Privacy Rights May be Involved with Cybersecurity?

Privacy interest in cybersecurity involves establishing protocols and effective oversight regarding when, why, and how government agencies may gain access to personal information that is collected, retained, used, or shared. U.S. businesses and government share responsibility for the insecurity of consumer online personal information. There is no single federal minimum standard for data protection that enforces fair information practices (FIPs). Fair information practices regulate and enforce consumer privacy rights regarding data collection, retention, use, and sharing of personal information. The federal approach has focused not on the protection of personal information, but on the purpose of the information collection.

The history of U.S. government agencies conducting sanctioned and unsanctioned surveillance of domestic communication by colluding with telecommunications and wire communication companies is well known. (The Puzzle Palace, Inside the National Security Agency America's Most Secret Intelligence Organization (1983)- James Bamford) Domestic surveillance first began as a means of acquiring information on criminal activities and quickly moved to documenting people's engagement in social or political activities and their exercise of constitutionally protected rights to expression and assembly. Fundamentally, control of society is, in large part, about the ability of government to control communications.

One key challenge facing digital communications users is that this medium suits those inclined to spy unlike any other form of surveillance because the intruder can hide the fact that a communication has been compromised. The National Security Agency is no amateur at delving into personal communications that are secured by law or design from snooping.

Cybersecurity Interests

Consumer Cybersecurity Interest

Online consumers have been victimized by cyber-threats in the form of spyware; malicious computer viruses, worrms, or malware; and fraud or abusive sales tactics that lure consumers to invest in bogus products or services. Online consumers routinely fall victim to identity theft, as well as spam, phishing or pharming attacks.

Consumers are also facing the challenge of determining which products or services to trust to provide goods and services as advertised.

Political Advocacy and Academic Cybersecurity Interest

For individuals and organizations that rely on the Internet for research, access to information, collaboration, political participation, fundraising, coalition building, campaigns, advocacy, organized dissent, political speech, watchdog actions against government and businesses, freedom of expression, dissemination of information or for outreach to constituencies--cybersecurity does matter a great deal.

Threats posed to political activity include deceptive campaign tactics that deface Websites, target donations for theft, create denial of service attacks on Websites, or send messages that are deceptive or misleading regarding the rules for voter participation on election day. If responses to cyber-attacks deny advocates access to the Internet and/or advanced communications networks, this would deny them the means to engage in a wide range of activities that could include election protection efforts during public elections, mobilize supporters for public protests, educate consumers, or empower constituencies to know and understand policy that impacts their lives. Academics and researchers must have a trustworthy and reliable means of exchanging ideas, participating in discussions, and collaborating on projects that advance their areas of research interest.

Business Cybersecurity Interest

Large and small companies have cyber-threats within and outside of their control such as data breaches, theft of company secrets, spying, attacks on computer networks, and damage to critical systems. Many companies are considering the challenges of cybersecurity and looking to new business applications such as cloud computing to secure data. However, cloud computing has enormous security and privacy risks relating to dependence on untrustworthy or unevaluated third parties.

New business and government services such as electronic health records and development and updating of critical infrastructure such as the Smart Grid each offer new cybersecurity privacy challenges for consumers.

National Security Cybersecurity Interest

The cyber-threats to any nation can range from disruption of an agency's networks or information services to the public to cyber-warfare. Depending on the agency, type of cyber-attack, its scope, duration, and effectiveness, the consequences for the online and offline operation of local, federal, or state government components can range from annoying delays in communications to serious damage to infrastructure threatening life or property.

Cyber-attacks or incidents that threaten the command and control structure of the national government or its assets including national defense, emergency response, and economic systems are of growing concern. The digital infrastructure of the nation must be treated as a strategic national asset. The new mission is to deter, detect, and defend against disruptions and attacks of all descriptions.

Policy

Introduction

Cyberspace is global, but the freedoms that are protected by constitutional rights, human rights norms, and legal institutions are defined by treaty or geography. Cybersecurity may be defined by governments, but will have a lasting impact on many rights and civil liberties enjoyed by free people throughout the world who engage in cyber-communications. Freedom of expression, freedom of association, economic opportunity, and political discourse may be redefined by the course the United States charts for cybersecurity.

Decisions about how to define cybersecurity and who will define it may affect Internet anonymous speech, freedom of expression, free speech, and access to information. Those who have worked on Network Neutrality understand what manipulation of communications over the Internet might mean. However, in the realm of federal cybersecurity, transparency and oversight might not be part of the process.

The Obama Administration has engaged agencies of the federal government, large corporations, technology companies, technologists, legal scholars, and policy experts in the deliberative process related to establishing policy to secure cyberspace.

Cyberspace Policy Review

On May 29, 2009, President Barack Obama announced the Administration's plan to address the growing issue of digital information insecurity. The Administration engaged multiple participants to develop this plan.

Much of the nation's critical infrastructure is connected in some way to computer networks. Addressing digital communication system vulnerabilities touches on important privacy and security questions that must be answered. The President began this discussion on cybersecurity by stating:

It is now clear that this cyber-threat is one of the most serious economic and national security challenges we face as a nation. It's also clear that we are not as prepared as we should be as a government or as a country. In recent years some progress has been made at the federal level, but just as we failed in the past to invest in our physical infrastructure: our roads, our bridges, and rails. We failed to invest in the security of our digital infrastructure. No single official oversees cybersecurity policy across the federal government and no single agency has the responsibility or authority to match the scope and scale of the challenge...

The Obama Administration is challenging federal government agencies, large technology companies, corporate America, academics and digital media users to join efforts to secure the Internet and telecommunications systems from every form of cyber-threat or menace.

The goal of the Administration is to pursue a new aggressive and comprehensive approach to cybersecurity that would address all forms of cyber-based threats. The category of threats will include those faced by consumers, corporations, critical infrastructure, and networked local, state, and federal government agencies. Internet or networked computer based communications have moved beyond an option to a necessary tool for a highly interconnected world. The Internet has fundamentally changed the social, cultural, business, political, and educational experiences of people.

The Cyberspace Policy Review set out 10 near-term actions. According the Whitehouse.gov Cybersecurity Factsheet, the Administration has completed or will soon complete all of those items:

  1. Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy. ◊ Complete. Howard A. Schmidt has been appointed as the Cybersecurity Coordinator.
  2. Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCIactivities and, where appropriate, build on its successes. ◊ Complete. The direction and needs highlighted in the Cyberspace Policy Review and previous national cybersecurity strategy are still relevant, and we have updated that strategy on targeted cyber issues, such as identity management and international engagement.
  3. Designate cybersecurity as one of the President's key management prioritiesand establish performance metrics. ◊ Complete. All senior executives and senior leadership have been informed that cybersecurity is one of the President's key management priorities for the Federal Government. We have established metrics through the CyberStats program, and we have also worked with the Office of Management and Budget (OMB) to update the Federal Information Security Management Act (FISMA) metrics by which departments and agencies are graded on their cybersecurity. Together, we are shifting the Federal Government's approach to cybersecurity from a static, paper-based certification and accreditation to a dynamic, relevant process based upon continuous monitoring and risk assessment.
  4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. ◊ Complete. Our second Director for Privacy and Civil Liberties official joined us from the Federal Trade Commission in December 2010.
  5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government. ◊ Complete. We have developed a formal interagency process as we continue to address policy and legal issues. As part of that process, we identified additional authorities that the executive branch needs to fulfill its mission, and we have requested those authorities as part of our legislative package.
  6. Initiate a national public awareness and education campaign to promote cybersecurity. ◊ Complete. We have created the National Initiative for Cybersecurity Education (NICE) with the dual goals of a cyber-savvy citizenry and a cyber-capable workforce, including raising awareness for consumers, enhancing cybersecurity education, and improving the structure, preparation, and training of the cybersecurity workforce. After the 2010 National Cyber Security Awareness Month, DHS launched a year-round national awareness campaign, which has held events around the country.
  7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. ◊ Complete. We have finished and will soon release the International Strategy for Cyberspace, which provides a unified foundation for the nation's international engagement on cyberspace issues.
  8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. ◊ Complete. The National Cyber Incident Response Plan (NCIRP) was developed and tested during a national cyber exercise, Cyber Storm III. It is now in the final stages of being updated, based upon our experience using the plan in different cyber exercises.
  9. In collaboration with other EOPentities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. ◊ Complete. The White House Office of Science and Technology Policy has finalized a Cyber Research and Development Framework. Public release of the plan is expected to occur in May 2011.
  10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation. ◊ Complete. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was released on April 15, 2011. The Department of Commerce will stand up a program office to coordinate the federal government and private sector in implementing this effort.

Legislative Proposals

The White House proposed cybersecurity legislation in May 2011. According to the White House, the proposed legislation will help safeguard personal data, help protect our national security by addressing threats to critical infrastructure, and help the government protect federal networks while at the same time creating stronger privacy and civil liberties protections. The Whitehouse.gov Fact Sheet on the Proposal highlights the following features of the legislation:

National Data Breach Reporting
Penalties for Computer Criminals
Voluntary Government Assistance to Industry, States, and Local Governments
Voluntary Information Sharing with Industry, States, and Local Governments
Critical Infrastructure Cybersecurity Plans
Increase of Effort and Resources to Protect the Federal Network

On January 5, 2011, Representative Bennie Thompson (D-MS) sponsored H.R. 174, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. H.R. 174 "seeks to enhance DHS' cybersecurity capacity by authorizing the DHS Office of Cybersecurity and Communications and creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the (1) .gov domain and (2) critical infrastructure networks, respectively." (Source: Press Release). It was referred to the House Committee of Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has held several hearings on the issue of cybersecurity. On June 24, 2011, the subsommittee held a hearing entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal." (http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity). On April 15, 2011, the subcommittee held a hearing entitled "The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure." On March 16, 2011, the subsommittee held a hearing entitled "Examining the Cyber Threat to Critical Infrastructure and the American Economy."

National Strategy for Trusted Identities in Cyberspace (NSTIC)

One objective of the White House's Cyberspace Policy Review was to develop a national plan for a public secure Internet identification program:

"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."
Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a screenshot.)

EPIC responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:

  • A complete enumeration of the sources of the problems identified in the draft
  • A clear plan for privacy protection
  • A strategy for the protection of private communications by fair information practices
  • The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
  • The assurance that Internet users can continue to create, control, and own web content.

EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.

On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.

As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.

For the full NSTIC page, see EPIC: NSTIC

International Strategy for Cyberspace

On May 16, 2011, the White House announced the International Strategy for Cyberspace (ISC). The ISC outlines the United States' approach to cyber issues. The ISC states the goal of a "future for cyberspace that is open, interoperable, secure, and reliable." Policy priorities include:

  • Promoting International Standards and Innovative, Open Markets
  • Protecting Our Networks: Enhancing Security, Reliability, and Resiliency
  • Internet Governance: Promoting Effective and Inclusive Structures
  • Internet Freedom: Supporting Fundamental Freedoms and Privacy

Department of Commerce's Cybersecurity Policy Framework

On June 8, 2011, The Department of Commerce announced a new policy framework for cybersecurity and businesses online. The Department of Commerce Green Paper proposes voluntary codes of conduct for companies that do business online but are not part of the critical infrastructure sector. The framework makes specific policy recommendations, including:

  • Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked.
  • Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing "cyberinsurance" premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
  • Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
  • Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth.

The Green Paper was the product of the Internet Policy Task Force. The Department of Commerce launched the Internet Policy Task Force in April 2010. The Department of Commerce is seeking public comment on the Green Paper.

Resources

EPIC Reports, FOIA and Testimony

Organizations Working on Cybesecurity

Papers and Articles

Cybersecurity Infrastructure Surveillance Laws

Cybersecurity Legislation in the 111th Congress

News Articles

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security