The U.S. legislature has cybersecurity on the brain. In the coming months, Congress and the Senate will consider a confusing variety of cybersecurity bills--including H.R. 3523 (Rogers), H.R. 3674 (Lungren), S. 2105 (Lieberman), and S. 215 (McCain)--all of which purport to keep U.S. companies and infrastructure safe from “cyberattacks." But as Congress continues to weigh this legislation and negotiate potential amendments, users should ask some serious questions about how these proposals will affect civil liberties, and tell Congress that we won't stand for cybersecurity bills that undermine our civil liberties. Here are four hard questions that Congressmembers should be asking about these bills--the answers to which the bills disagree on or dodge entirely.
Who will be in charge of cybersecurity?
The Rogers bill (H.R. 3523) proposes to put the military-intelligence community in charge of cybersecurity while the Lungren bill (H.R. 3674) keeps it under civilian control by putting it in the hands of the Department of Homeland Security. Given the National Security Agency’s history of secrecy and over-classification, military control of cybersecurity is a potentially disastrous outcome for those who are concerned with counter-balancing hysteria over “cyberwarfare” and “cybercrime” with respect for privacy and civil liberties. Civilian control over cybersecurity is essential if there is to be any degree of openness and transparency in U.S. cybersecurity policy.
Governmental cybersecurity programs must aim to achieve security through openness and the use of transparent, accountable processes. Governments have a special duty to their citizens to guard their privacy and civil liberties, as well as a duty to be accountable for their use of taxpayer dollars. Government programs are, by their very nature, not competing in a marketplace, where there are sometimes strong financial incentives for the clever use of secretive practices. Additionally, the sprawling nature of U.S. infrastructure decreases the likelihood of keeping secrets against adversaries and increases the potential benefits of constructive scrutiny from all corners. Simply put: open is better, and there is no way cybersecurity policy will be open under military control.
What exactly is a “cybersecurity threat?”
At this time, most of the proposed cybersecurity bills grant the government broad powers in the event of a “cybersecurity threat.” Unfortunately, we don’t know what that means. EFF has raised detailed concerns about the potential harm this vague language could do if the existing legislative proposals are passed into law. In brief, broad definitions potentially implicate tools and behaviors that security experts would NOT reasonably consider to be cybersecurity threat indicators. Just using a proxy or anonymizing service such as Tor, encryption to protect your data, or measuring your ISP’s network performance could all be construed as “cybersecurity threats” in some of these legislative proposals. People who take measures to protect their own privacy and security online in ways that EFF regularly recommends and supports could potentially be treated like criminals. And even under a more generous reading of the language, legitimate security research would be targeted and security researchers could find themselves under perpetual scrutiny as potential “cybercriminals.”
What does "information sharing" mean?
All of the proposed cybersecurity bills mandate some kind of “information sharing” or “government assistance” between the U.S. government and the private companies that have access to so much of our personal data, including email, web searches, GPS data, and our social graphs. Companies are encouraged to share information about “cyber threats” or incidents with the government, and to that end it provides them with immunity when sharing information about threats.
Some of the proposals balance this information-sharing with privacy oversight, to make sure that shared information does not impinge on individual privacy or civil liberties, but proposals such as the Rogers bill contain no such protective language. The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for “cybersecurity purposes.” Just invoking “cybersecurity threats” is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law. Additionally, the Rogers bill places almost no restrictions on what kinds of information can be collected and how it can be used, so long as the companies can claim it was motivated by “cybersecurity purposes.” S. 2105 (Lieberman) and S. 2151 (McCain) contain similarly dangerous provisions.
As if that wasn't bad enough, "information sharing" is often just a euphemism for surveillance and countermeasures, including monitoring email, filtering content, or blocking access to websites.
Will the cybersecurity bills improve our security or not?
Ideally, cybersecurity legislation would benefit U.S. citizens by protecting government systems and infrastructure in a manner that is open, accountable, transparent, and respectful of citizens’ privacy and civil liberties. Unfortunately, there are aspects of the proposed cybersecurity bills that lead us to believe the American people will not be coming out on top.
There is little doubt that the Internet could stand to be a safer place. Major operating systems have security vulnerabilities, as do plenty of other commercial off-the-shelf software. The Internet could use more encryption, more secure protocols, and better authentication schemes. But the cybersecurity bills don't do any of these things. Instead of creating incentives for better defensive Internet security, the proposed bills take an offensive posture: more monitoring, more surveillance, and more disclosure of your private information. Not only will the cybersecurity bills fail to make us safer, they will put users' privacy and security at risk.
Help EFF stop the worst of the cybersecurity proposals by sending an email to Congress today.