With all the commotion following President Obama’s recent Executive Order issued in February, one might think that something is significant finally happening at the national level on the cybersecurity front. Where there is smoke there is always fire, right? Well, not always – but time will tell.
Department of Homeland Security Secretary Janet Napolitano penned a blog this week on the agency’s website that particularly sought to assure all that privacy and civil liberties are being taken into consideration as the Department moves forward on new security policy directives as outline by the President. The blog made it sound like something serious must be going down where cybersecurity is concerned.
“The Executive Order clears the way for more efficient sharing of cyber threat information between government and the private sector, while directing federal departments and agencies to incorporate robust privacy and civil liberty protections into all of their cybersecurity activities,” Napolitano wrote.
The privacy and civil liberty safeguards Napolitano speaks of are rooted in the Fair Information Practice Principles (.pdf), which were further bolstered by the administration’s Privacy Bill of Rights, which were issued last year.
“DHS is mindful that one of its missions is to ensure that privacy, confidentiality, civil rights and civil liberties are not diminished by the Department’s security initiatives. Accordingly, the Department has implemented strong privacy and civil rights and civil liberties standards into all its cybersecurity programs and initiatives,” Napolitano continued.
That certainly sounds like wheels are turning, and that it won’t be long before we hear bells and whistles.
The Executive Order, in tandem with the simultaneously issued Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD 21), are intended to enable “owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards,” as well as laying the foundation for mechanisms that will “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities.” Sounds good so far.
Napolitano now assures that there will be “layered privacy responsibilities throughout the Department” for the purpose of “integrating privacy protections into everything we do,” based on eight Fair Information Practice Principles which include: Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, Accountability and Auditing. That sounds comprehensive.
So, you may be asking yourself, why all the hoopla over privacy and civil liberties when we are essentially discussing the securing of critical infrastructure and the breaking down of isolated information silos in order to facilitate the sharing of threat intelligence? It boils down to everyone feeling vulnerable in this process, and the only group anyone can attempt to assure is the public, the ones who actually know the least about anything that is actually going on.
There have been a slew of failed or stalled legislative proposals on cybersecurity on Capitol Hill, some of which would have companies providing the government with all sorts of information they collect – including data on individuals – in exchange for some legal immunity and liability limitation guarantees should the companies be found to have violated their obligations to adequately safeguard that data.
“Without those immunities, companies will by nature be more circumspect about what they provide the government, thus limiting what they hand over,” said the Electronic Frontier Foundation’s Mark Jaycox.
While the President’s move neither negates the need for comprehensive legislation, nor provides the level of assurances the private sector is seeking, it does significantly remove barriers within government and between the government and the private sector with regards to beginning to create a framework for more information sharing.
“A lot of what this shows is that the president can do a lot without cybersecurity legislation,” Jaycox said. But, as more than several experts have noted, the President’s order can only impact policies within the agencies he is constitutionally empowered to administer, and does not create a mandate for participation by the private sector by any means.
So where does that leave us?
- Advocacy groups are still in an uproar at the thought of the private sector acting as domestic espionage operatives on behalf of the government
- Private industry is still leery that sharing security intelligence with the Feds will expose them and their stakeholders to lawsuits or regulatory sanctions
- The government still desperately needs to play catchup on cybersecurity, having found themselves twenty years behind the capabilities of malicious actors
- The public still wants security, privacy, and accountability from all parties involved
Image courtesy of ShutterStock