This blog post was written by Access policy intern Jack Bussell.
Today, the White House will hold its Summit on Cybersecurity and Consumer Protection. Hosted at Stanford University, the summit will bring together industry, law enforcement, and civil liberties organizations to explore improved cybersecurity. The White House hopes to push several themes, including information sharing, secure payment technologies, and improved cybersecurity literacy. While improved digital hygiene is critically important, the information-sharing proposals offered by Congress and President Obama so far place user privacy at risk while being of questionable utility for improving digital security.
In recent months, cybersecurity has become a major public policy focus. For example, during his State of the Union address in January, the President mentioned that the government would share information about cybersecurity “just as we have done to combat terrorism.” Earlier this week, the White House announced a plan to create an agency, the Cyber Threats Intelligence Integration Center (CTIIC), to defend against cyber attacks. Currently, combating cyber crime falls to multiple agencies, including the National Security Agency and the Department of Homeland Security. Organized under the Office of the Director of National Intelligence and modeled after the National Counterterrorism Center, the CTIIC will be responsible for integrating digital threat information for the federal government and coordinating the response.
Several cyber proposals were also introduced in the lead up to the State of the Union. The Personal Data Notification and Protection Act would set a single federal standard for data breach notification. The Consumer Privacy Bill of Rights would be the first baseline established for privacy at the federal level. Up until now, legislation dealing with privacy has been industry specific, such as privacy protections for financial or health data. Access has previously discussed the benefits and shortcomings of these proposals in our blog.
Policmakers have consistently focused on increasing sharing of data by private companies to intelligence community. This includes the Cyber Threat Sharing Act, introduced this week by Senator Tom Carper. Proponents argue that information sharing, especially between the private and public sectors, will allow for more effective law enforcement. Such thinking underlies the creation of the CTIIC, which is premised on coordinating information from both the intelligence community and private actors.
Some privacy experts, however, believe the CTIIC is redundant and intended to increase data flow to agencies conducting surveillance. In general, information sharing comes with many costs to user privacy. Proposals would effectively create a new surveillance authority by forwarding cybersecurity information to the intelligence community. The proposals would also grant sweeping liability limitations for companies sharing personal information. Yet, research shows that information sharing is of questionable utility. Better digital hygiene, such as effective password management and improved assessment of third parties like cloud based services, could have prevented over 90 percent of the data breaches in the first half of 2014.
Several recent high profile data breaches at major U.S. companies, including those at Home Depot, Target, JPMorgan Chase, and most recently, health insurer Anthem, have highlighted the need for stronger digital security.
Access calls on President Obama and Congress to pass comprehensive cybersecurity legislation without the harmful privacy provisions of information-sharing proposals. For instance, as a coordinating body, the CTIIC should focus its efforts on coordinating strong transparency among agencies to maximize the public’s access to information. Any sharing of personal information should be strictly limited. After all, data becomes more vulnerable, not more secure, as it flows across the internet.
You can find the the Summit on Cybersecurity and Consumer Protection live stream here.
photo credit: Andrew Butitta