Obama Shuts Down NSA Cybersecurity Proposal

—By Kevin Drum

Ellen Nakashima of the Washington Post reports that the NSA and the White House are at odds over a proposal to increase surveillance of "critical infrastructure systems" in order to prevent cyberattacks:

The most contentious issue was a legislative proposal last year that would have required hundreds of companies that provide critical services such as electricity generation to allow their Internet traffic be continuously scanned using computer threat data provided by the spy agency. The companies would have been expected to turn over evidence of potential cyberattacks to the government.

....The NSA proposal, called Tranche 2, sparked fierce debate within the administration. It would have required an estimated 300 to 500 firms with a role in critical infrastructure systems to allow their Internet carrier or some other private company to scan their computer networks for malicious software using government threat data....NSA officials say this process would have been automated, preventing intrusion into the personal privacy of ordinary users visiting Web sites or exchanging electronic messages with friends.

....But the White House and other agencies, including the departments of Justice and Commerce, said the proposal left open the possibility that the large Internet carriers themselves could be designated critical entities. This, they said, could have allowed scanning of virtually all Internet traffic for cyberthreats on behalf of the government, opening a newly extensive window into American behavior online.

The story leaves it unclear whether Tranche 2 is dead for good, or merely needs to be retooled to place clear limits on who's required to take part. Either way, given the intense interest in cybersecurity these days, I don't expect this proposal to go away.

On a political note, it's unclear how this will break down on party lines. Obviously the GOP base is inclined to think that anything Obama opposes must be good, and they certainly supported the increased surveillance powers that George Bush gave to NSA. On the other hand, tea partiers tend to be suspcious of this kind of Big Brotherish monitoring. So it's hard to say which way they'll jump. Probably against Obama is my guess.

http://www.motherjones.com/kevin-drum/2012/02/obama-shuts-down-nsa-cybersecurity-proposal

President Obama Shows No CISPA-like Invasion of Privacy Needed to Defend Critical Infrastructure

By Michelle Richardson

Last night the President signed an executive order (EO) aimed at ramping up the cybersecurity of critical infrastructure. Overwhelmingly, the EO focuses on privacy-neutral coordination between the government and the owners and operators of critical infrastructure (CI)—such as the banking, communication, power, and transportation sectors—which have long been regulated because of their fundamental role in the smooth operation of society. Now that these important entities are all connected to the internet, the administration insists that their cybersecurity be on par with their physical security.

There are two important information sharing advancements in the EO, and this time they are good for privacy. They do not include the many problems of legislation like the Cyber Intelligence and Sharing Protection Act (CISPA) because an executive order by definition cannot take away the privacy protections granted by current statutes. In other words, the EO cannot exempt companies from privacy statutes, or let the government collect new information. It can only act within its existing power to change policies and practices.

Two cheers for cybersecurity programs that can do something besides spy on Americans.

The first information sharing advancement greases the wheels of information from the government to the private sector. Section 4 lights a fire under agencies and directs them to share more information with companies—information they already have and can legally collect under current law. Information flowing in this direction is nowhere as near as problematic as the opposite direction. To the extent that corporate and congressional advocates claim that CISPA is needed for this purpose, the administration beat them to the punch. The EO directs the attorney general, the director of national intelligence and the secretary of homeland security to set up a system to get threat information to critical infrastructure owners and operators. They have four months to pull it together.

The second information sharing provision is a net positive for civil liberties. Section 5 directs the Department of Homeland Security, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Office of Management and Budget to evaluate current interagency information sharing. There is plenty of cyber information floating around the executive branch and across different agencies. There doesn't appear to be any publicly available regulation of how that information is protected for privacy purposes, and it may very well be that it is protected by a mish-mash of originating statutes that treat different types of information with varying protections. By holding the agencies accountable to the Fair Information Practice Principles (FIPPs)—transparency, choice, minimization and more—we may see a government-wide cybersecurity privacy regime evolve. To get it done right, PCLOB will need to be funded and staffed up, and advocacy will be needed to keep the agencies true to the FIPPs, but the President has now declared them the bellwether for cybersecurity information.

Overall, the EO is a win for privacy and civil liberties. It's a good reminder that while some are focused like a laser on turning our internet records over to the National Security Agency, there are a lot of other things that government can do to advance cybersecurity instead. Now it's up to all of us to make sure Congress follows the President's lead.

http://www.aclu.org/blog/national-security-technology-and-liberty/president-obama-shows-no-cispa-invasion-privacy-needed

Thank You Mr. President – In Big Win for Privacy, Administration Issues CISPA Veto Threat!

By Robyn Greene

Over the last few months, more than 50,000 ACLU supporters signed our petition to the president urging him to veto CISPA if it made it to his desk. Not only did the president hear your calls – yesterday, he answered them with a resounding win for your privacy and civil liberties and threatened to veto CISPA, the dangerous privacy-busting cybersecurity bill.

The president's veto threat echoed many of our concerns, and those that he raised last year when he threatened to veto CISPA 1.0. We have long warned that CISPA threatens Americans' privacy and civil liberties by allowing for companies to share our private information, like our internet records and the content of our emails, with the government. Yesterday's veto threat makes it clear that in spite of recent amendments, CISPA still fails to adequately protect our privacy. As the veto threat states:

…the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable…for failing to safeguard personal information adequately.

President Obama also addressed our concerns that CISPA would allow for the militarization of the internet by allowing domestic cyber threat information to be shared with the NSA or other agencies in the Department of Defense. The veto threat was unequivocal that the internet is a civilian space, stating that:

The Administration supports the longstanding tradition to treat the Internet and cyberspace as civilian spheres…[and] newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency.

While we are thrilled that the president has threatened to veto CISPA if it reaches his desk, the fight isn't over yet. The House is expected to vote on CISPA as early as today. We wrote the House and joined a coalition of 34 groups urging a "No" vote on CISPA, but every member of Congress should also hear from their constituents that they should vote for privacy, and vote "NO" on H.R. 624.

http://www.aclu.org/blog/technology-and-liberty-national-security/thank-you-mr-president-big-win-privacy-administration