The US legislature has cybersecurity on the brain. In the coming months, the US Congress and the Senate will consider a confusing variety of cyber-security bills — including HR 3523 (Rogers), HR 3674 (Lungren), S. 2105 (Lieberman), and S. 215 (McCain) — all of which purport to keep US companies and infrastructure safe from "cyber-attacks". But as Congress continues to weigh this legislation and negotiate potential amendments, users should ask some serious questions about how these proposals will affect civil liberties. Here are four hard questions that Congressmembers should be asking about these bills — the answers to which the bills disagree on or dodge entirely.
Who Will Be In Charge Of Cybersecurity?
The Rogers bill (HR 3523) proposes to put the military-intelligence community in charge of cyber-security while the Lungren bill (HR 3674) keeps it under civilian control by putting it in the hands of the Department of Homeland Security. Given the National Security Agency's history of secrecy and over-classification, military control of cyber-security is a potentially disastrous outcome for those who are concerned with counter-balancing hysteria over "cyber-warfare" and "cyber-crime" with respect for privacy and civil liberties. Civilian control over cyber-security is essential if there is to be any degree of openness and transparency in the US' cyber-security policy.
Governmental cyber-security programs must aim to achieve security through openness and the use of transparent, accountable processes. Governments have a special duty to their citizens to guard their privacy and civil liberties, as well as a duty to be accountable for their use of taxpayer dollars.
Government programs are, by their very nature, not competing in a marketplace, where there are sometimes strong financial incentives for the clever use of secretive practices. Additionally, the sprawling nature of US infrastructure decreases the likelihood of keeping secrets against adversaries and increases the potential benefits of constructive scrutiny from all corners. Simply put: open is better, and there is no way cybersecurity policy will be open under military control.
What Exactly Is A "Cyber-Security Threat?"
At this time, most of the proposed cyber-security bills grant the government broad powers in the event of a "cyber-security threat". Unfortunately, we don't know what that means. EFF has raised detailed concerns about the potential harm this vague language could do if the existing legislative proposals are passed into law.
In brief, broad definitions potentially implicate tools and behaviours that security experts would NOT reasonably consider to be cyber-security threat indicators. Just using a proxy or anonymising service such as Tor, encryption to protect your data, or measuring your ISP's network performance could all be construed as "cyber-security threats" in some of these legislative proposals. People who take measures to protect their own privacy and security online in ways that EFF regularly recommends and supports could potentially be treated like criminals. And even under a more generous reading of the language, legitimate security research would be targeted and security researchers could find themselves under perpetual scrutiny as potential "cybercriminals".
What Does "Information Sharing" Mean?
All of the proposed cyber-security bills mandate some kind of "information sharing" or "government assistance" between the US government and the private companies that have access to so much of our personal data, including email, web searches, GPS data and our social graphs. Companies are encouraged to share information about "cyber threats" or incidents with the government and to that end it provides them with immunity when sharing information about threats.
Some of the proposals balance this information-sharing with privacy oversight, to make sure that shared information does not impinge on individual privacy or civil liberties, but proposals such as the Rogers bill contain no such protective language. The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for "cyber-security purposes".
Just invoking "cyber-security threats" is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law. Additionally, the Rogers bill places almost no restrictions on what kinds of information can be collected and how it can be used, so long as the companies can claim it was motivated by "cyber-security purposes". S 2105 (Lieberman) and S 2151 (McCain) contain similarly dangerous provisions.
As if that wasn't bad enough, "information sharing" is often just a euphemism for surveillance and countermeasures, including monitoring email, filtering content, or blocking access to websites.
Will The Cyber-Security Bills Improve Our Security Or Not?
Ideally, cybersecurity legislation would benefit US citizens by protecting government systems and infrastructure in a manner that is open, accountable, transparent and respectful of citizens' privacy and civil liberties. Unfortunately, there are aspects of the proposed cybersecurity bills that lead us to believe the American people will not be coming out on top.
There is little doubt that the internet could stand to be a safer place. Major operating systems have security vulnerabilities, as do plenty of other commercial off-the-shelf software. The Internet could use more encryption, more secure protocols, and better authentication schemes. But the cybersecurity bills don't do any of these things.
Instead of creating incentives for better defensive Internet security, the proposed bills take an offensive posture: more monitoring, more surveillance, and more disclosure of your private information. Not only will the cyber-security bills fail to make us safer, they will put users' privacy and security at risk.
Republished with permission from the Electronic Frontier Foundation.