A Huge Week in Cybersecurity legislation – does cybersecurity come at the cost of online privacy?

This week President Obama addressed the ‘rapidly growing threat from cyber-attacks’ in his State of the Union Address. But he didn’t stop there. The same day, President Obama signed an executive order addressing this matter further. And the following day, Rep. Mike Rogers (R-Mi.) and C.A. Dutch Ruppersberger (D-Maryland) asked Congress to re-visit the Cyberintelligence Sharing Protection Act (CISPA) proposed last year. Apparently, this week all eyes were on cybersecurity. While the executive order has been considered a much “weakened” alternative to the CISPA, it appears to be much more popular overall. Let’s go over the basics…


Executive Order – Improving Critical Infrastructure Cybersecurity

This order focuses on facilitating government agencies’ ability to share information about cybersecurity threats with the private sector. “We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.” The Benton Foundation summed up the E.O. with these key points:

  • Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles
  • Establishes a voluntary program to promote the adoption of Cybersecurity Framework
  • Calls for a review of existing cybersecurity regulation


Cyberintelligence Sharing and Protection Act (CISPA)

CISPA was an extremely controversial bill introduced last year (on November 30, 2011). It passed the House on April 26, 2012, but never reached a vote in the Senate. President Obama’s advisers instructed the President to veto the bill if it ever passed the Senate, arguing the bill lacked confidentiality and civil liberties safeguards. This bill was highly criticized by internet privacy and public interest groups nationwide for its provision, which allowed the flow of ‘intelligence’ from private companies to government agencies.


Notable differences between the Executive Order and CISPA

While the E.O. allows sharing of government data with the private sector, the E.O. does not declare that the private sector will return that flow of data. On the other hand, CISPA has a provision, which would allow private sector companies to hand over “cybersecurity threat information” to the government. The provision goes further – it even grants those private companies immunity from existing laws and regulations, which would prevent them from sharing that exact private personal data in the first place.


What others are saying about CISPA

Critic Lelsie Harris of Center for Democracy and Technology – “Once that privacy information is in the hands of the military, it can be used for purposes completely unrelated to cybersecurity. In seeking to promote cybersecurity information sharing, CISPA creates a sweeping exception to all privacy laws.”

Supporter Steve Largent of CTIA – The Wireless Association –  “…fashioning legislation to facilitate greater information sharing between the federal government and the private sector, as well as among private sector entities. Enactment of this sort of legation will contribute significantly to the expression of sound cybersecurity practices.”


Why this matters to the average consumer?

How much of your personal data is online and in the hands of private companies? Currently, there is not an existing (legislative) infrastructure in which that data is shared between the private sector and the federal government. New legislation could extend protections against the collaboration between the federal government and the private sector or provide the framework for the sharing to thrive.


Final thoughts

Law Professor, Daniel J. Solove argues that Americans, in the post-Sept. 11 era, have been persuaded to trade privacy for security and that “privacy often loses out to security when it shouldn’t.” I think it is necessary for Americans to reflect on this paradigm. Does privacy and security need to be equated to a zero-sum relationship? Can Americans have both secured privacy rights (online), while still be afforded the necessary cyber security (on a national level)?


For more information

“Executive Order – – Improving Critical Infrastructure Cybersecurity,” Feb. 12, 2013, available at http://m.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.

“President Revives an Old Debate about Privacy,” New York Times, Feb. 14, 2013, available at http://bits.blogs.nytimes.com/2013/02/14/the-president-revives-an-old-debate-about-privacy/.

“President Obama’s Cybersecurity Executive Order Scores Much More Than CISPA on Privacy,” Forbes, Feb. 12, 2013, available at http://www.forbes.com/sites/andygreenberg/2013/02/12/president-obamas-cybersecurity-executive-order-scores-much-better-than-cispa-on-privacy/?partner=yahootix.

“Forget SOPA, You Should Be Worried About This Cybersecurity Bill,” TechDirt.com,  April 2, 2012, available at http://www.techdirt.com/articles/20120402/04425118325/forget-sopa-you-should-be-worried-about-this-cybersecurity-bill.shtml.

“Cybersecurity: Time to Act?” Benton Foundation, Feb. 15, 2013, available at http://benton.org/node/145615?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email.


Leave a Reply

Your email address will not be published. Required fields are marked *