US President Barack Obama signed an executive order last week to bulk up the US federal government's cybersecurity efforts. It focuses on creating ways for the private sector to share threat information with the government. Unfortunately, it may do more to further jeopardise consumer privacy than it will to effectively minimize cyberthreats.
Look, his net neutrality proposal was great. It's clear that Obama has a deeper understanding of how the internet works than at least a shitload of other politicians. But this cybersecurity order looks potentially milquetoast on the threat-prevention front and straight-up worrisome on the government-slurping-all-our-data horizon.
In the past, many companies have been reluctant to share information with the government, due to the breadth and secrecy of its surveillance programs. Last month, Obama proposed legislation that would shield companies from lawsuits when they gave up information if it related to cyberthreats, so that could assuage litigation-based fears. (Not fears about shitting all over consumer privacy, mind you.)
While the order calls for public, annual reviews of how the cybersecurity data sharing affects privacy and civil liberty risks, it will be a review conducted by the Department of Homeland Security, which does not have the most attractive track record when it comes to gauging these matters... I guess it's better than being conducted by the NSA?
There is little comfort to be found in a government known for its heavy-handed domestic spying saying that an internal report is a realistic safeguard against privacy violations. Especially a "public" report with this convenient option:
The report may contain a classified annex if necessary.
Now, the infrastructure called for in this order could turn out to be the most sophisticated and practical cyberthreat defence policy known to this great green globe. That would be terrific. Whether the order succeeds or fails on improving cybersecurity entirely depends on how it's carried out.
I know that might seem obvious but there's nothing hardboiled into this order that reads like a definitive move against cyberthreats. It's mostly establishing a bureaucracy to coordinate discussion of cyberthreats. It will only work if the information-sharing between the government and private actors results in both parties learning how to improve their security.
What is hardboiled into the order is the idea that companies need to give the government data as a matter of national security. And if that drive to share isn't counterbalanced by truly comprehensive measures to ensure that the hunt for cybercrime doesn't require rooting through private information, this could be bad.
Here's the full text: