EPIC - Cybersecurity Privacy Practical Implications

Cybersecurity Privacy Practical Implications

Concerning Privacy and Cybersecurity Policy

Latest News |
Introduction |
Threats |
Policy |
Privacy |
News |
Resources

Latest News

EPIC Warns Congress of Cybersecurity Risks to Consumers: EPIC Executive Director Marc Rotenberg testified today before the House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see EPIC: Cybersecurity and Privacy. Webcast. (Sep. 14, 2011)

Commerce Department Releases Cybersecurity Report, Seeks Comments: The U.S. Department of Commerce has released a green paper on "Cybersecurity, Innovation, and the Internet Economy." The paper is the latest deliverable published by Secretary Locke's Internet Policy Task Force, established in April 2010 as collaboration between technical, policy, trade, and legal experts. The Department’s goal is to provide voluntary standards and incentives for Internet stakeholders who fall outside of the scope of "critical infrastructure." The White House released draft cybersecurity legislation in May 2011 that would designate the Department of Homeland Security as the lead administrative agency for critical infrastructures. The Department of Commerce poses several questions in the green paper, and is encouraging stakeholders to submit comments, which are due in 45 days. For more information, see EPIC: Cybersecurity and Privacy. (Jun. 8, 2011)

House Examines White House Cybersecurity Proposal: The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see EPIC: Cybersecurity and Privacy and EPIC: National Strategy for Trusted Identities in Cyberspace. (May. 26, 2011)

White Houses Releases International Cyberspace Plan: Following the release of proposed cyber security legislation last week, the White House today unveiled "International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World." The Strategy is ambitious and far-reaching, covering economic policy, foreign affairs, homeland security, and defense. The Strategy also emphasizes the need to safeguard fundamental freedom and privacy rights. To address growing concerns about online privacy, EPIC has recommended that the United States begin the process of ratifying the International Privacy Convention, which has been adopted by more than 40 countries. For more information see, EPIC - Privacy Convention. (May. 17, 2011)

White House Sets Out Cyber Security Plan: The White House has announced a far-reaching legislative proposal for cyber security. The plan proposal would standardize data breach reporting requirements, clarify penalties for computer crime, and create a regulatory framework for critical infrastructure. However, the plan also enables greater data collection across the federal government and expanded electronic surveillance. EPIC has previously called for cyber security legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. EPIC has several pending FOIA lawsuits concerning the Administration's cyber security programs, including the Google/NSA collaboration. For more information, see EPIC: Cybersecurity and Privacy. (May. 13, 2011)

Senate Commerce Committee to Explore Internet Privacy, Airport Screening, Cybersecurity: Chairman Rockefeller's (D-WV) priorities for the Senate Commerce Committee in the new Congress will include consumer privacy, oversight of the Federal Trade Commission, airport screening, and cybersecurity, according a recent statement. Senator Rockefeller has specifically called for strong Internet privacy laws. "There are no baseline privacy protections for most consumer online activity," he stated. "Industry self-regulation has largely failed, and I hope that the Department of Commerce . . .will reach the conclusion that legislation is necessary to protect consumers." EPIC has testified previously before the Committee on the Childrens' Online Privacy Protection Act (COPPA), protecting consumers' phone records, and spam e-mail. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Cybersecurity Privacy Practical Implications. (Jan. 21, 2011)

EPIC, Joined by 13 Organizations, Sends Statement on NSTIC: EPIC, joined by the American Library Association, Liberty Coalition, Bill of Rights Defense Committee, and the Center for Media and Democracy, among others, sent a statement to the Department of Homeland Security responding to the Administration's call for comments regarding its National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition's comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance. For more, see EPIC's Cybersecurity and Privacy. (Oct. 1, 2010)

EPIC Seeks Details on New Government Crypto Regulations: EPIC has sent Freedom of Information Act (FOIA) requests to the Department of Justice, the Federal Bureau of Investigation, and the National Security Agency for information about a proposal to expand Internet surveillance and deploy weakened security standards. The proposal would require Internet companies to develop network services to enable government access to private communications, including those on peer-to-peer networks. In 1996, the National Resource Council concluded that such technical standards make network communications more vulnerable to cyber attack. For more information, see EPIC: Cryptography Policy. (Sep. 29, 2010)

DHS Privacy Office Releases 2010 Annual Report: The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office. (Sep. 24, 2010)

EPIC FOIAs NSA for Details of "Perfect Citizen": EPIC has filed a Freedom of Information Act request with the National Security Agency regarding the new secret cybersecurity program known as "Perfect Citizen." According to the Wall Street Journal, the program "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack," although the agency has claimed that there "is no monitoring activity involved, and no sensors are employed in this endeavor" but has refused to release the details of the program. In its request, EPIC has sought contracts, memoranda, and other records relating to "Perfect Citizen." For more information, see EPIC Cybersecurity and Privacy. (Jul. 16, 2010)

Introduction

Cybersecurity encompasses an array of challenges to protect digital information and the systems they depend upon to affect communication. The interconnected world of computers forms the Internet, which offers new challenges for nations because regional or national borders do not control the flow of information as it is currently managed. The Internet, in the most basic sense, works like any other remote addressing system, for example, a telephone number corresponds to a particular device, a home or building address corresponds to a particular geographic location. The Internet's addressing system is called the Internet Protocol (IP).

Each computer network and computing device designed to communicate over the Internet must have a unique address to send or receive messages. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the task of managing these addresses so that each unique Internet device (computer, cell phone, personal digital device) has a unique IP number designation. This Internet addressing system translates these numbers into World Wide Web addresses best known by the extensions .com, .edu, .net, and .org. This addressing system makes it very easy for people to find the people and Web addresses they are seeking. IP registration information or WHOIS data on Internet address holders is a source of contention between privacy/free speech/human rights advocates and law enforcement and commercial and government interests.

Privacy

What Privacy Rights May be Involved with Cybersecurity?

Privacy interest in cybersecurity involves establishing protocols and effective oversight regarding when, why, and how government agencies may gain access to personal information that is collected, retained, used, or shared. U.S. businesses and government share responsibility for the insecurity of consumer online personal information. There is no single federal minimum standard for data protection that enforces fair information practices (FIPs). Fair information practices regulate and enforce consumer privacy rights regarding data collection, retention, use, and sharing of personal information. The federal approach has focused not on the protection of personal information, but on the purpose of the information collection.

The history of U.S. government agencies conducting sanctioned and unsanctioned surveillance of domestic communication by colluding with telecommunications and wire communication companies is well known. (The Puzzle Palace, Inside the National Security Agency America's Most Secret Intelligence Organization (1983)- James Bamford) Domestic surveillance first began as a means of acquiring information on criminal activities and quickly moved to documenting people's engagement in social or political activities and their exercise of constitutionally protected rights to expression and assembly. Fundamentally, control of society is, in large part, about the ability of government to control communications.

One key challenge facing digital communications users is that this medium suits those inclined to spy unlike any other form of surveillance because the intruder can hide the fact that a communication has been compromised. The National Security Agency is no amateur at delving into personal communications that are secured by law or design from snooping.

Cybersecurity Interests

Consumer Cybersecurity Interest

Online consumers have been victimized by cyber-threats in the form of spyware; malicious computer viruses, worrms, or malware; and fraud or abusive sales tactics that lure consumers to invest in bogus products or services. Online consumers routinely fall victim to identity theft, as well as spam, phishing or pharming attacks.

Consumers are also facing the challenge of determining which products or services to trust to provide goods and services as advertised.

Political Advocacy and Academic Cybersecurity Interest

For individuals and organizations that rely on the Internet for research, access to information, collaboration, political participation, fundraising, coalition building, campaigns, advocacy, organized dissent, political speech, watchdog actions against government and businesses, freedom of expression, dissemination of information or for outreach to constituencies--cybersecurity does matter a great deal.

Threats posed to political activity include deceptive campaign tactics that deface Websites, target donations for theft, create denial of service attacks on Websites, or send messages that are deceptive or misleading regarding the rules for voter participation on election day. If responses to cyber-attacks deny advocates access to the Internet and/or advanced communications networks, this would deny them the means to engage in a wide range of activities that could include election protection efforts during public elections, mobilize supporters for public protests, educate consumers, or empower constituencies to know and understand policy that impacts their lives. Academics and researchers must have a trustworthy and reliable means of exchanging ideas, participating in discussions, and collaborating on projects that advance their areas of research interest.

Business Cybersecurity Interest

Large and small companies have cyber-threats within and outside of their control such as data breaches, theft of company secrets, spying, attacks on computer networks, and damage to critical systems. Many companies are considering the challenges of cybersecurity and looking to new business applications such as cloud computing to secure data. However, cloud computing has enormous security and privacy risks relating to dependence on untrustworthy or unevaluated third parties.

New business and government services such as electronic health records and development and updating of critical infrastructure such as the Smart Grid each offer new cybersecurity privacy challenges for consumers.

National Security Cybersecurity Interest

The cyber-threats to any nation can range from disruption of an agency's networks or information services to the public to cyber-warfare. Depending on the agency, type of cyber-attack, its scope, duration, and effectiveness, the consequences for the online and offline operation of local, federal, or state government components can range from annoying delays in communications to serious damage to infrastructure threatening life or property.

Cyber-attacks or incidents that threaten the command and control structure of the national government or its assets including national defense, emergency response, and economic systems are of growing concern. The digital infrastructure of the nation must be treated as a strategic national asset. The new mission is to deter, detect, and defend against disruptions and attacks of all descriptions.

Policy

Introduction

Cyberspace is global, but the freedoms that are protected by constitutional rights, human rights norms, and legal institutions are defined by treaty or geography. Cybersecurity may be defined by governments, but will have a lasting impact on many rights and civil liberties enjoyed by free people throughout the world who engage in cyber-communications. Freedom of expression, freedom of association, economic opportunity, and political discourse may be redefined by the course the United States charts for cybersecurity.

Decisions about how to define cybersecurity and who will define it may affect Internet anonymous speech, freedom of expression, free speech, and access to information. Those who have worked on Network Neutrality understand what manipulation of communications over the Internet might mean. However, in the realm of federal cybersecurity, transparency and oversight might not be part of the process.

The Obama Administration has engaged agencies of the federal government, large corporations, technology companies, technologists, legal scholars, and policy experts in the deliberative process related to establishing policy to secure cyberspace.

Cyberspace Policy Review

On May 29, 2009, President Barack Obama announced the Administration's plan to address the growing issue of digital information insecurity. The Administration engaged multiple participants to develop this plan.

Much of the nation's critical infrastructure is connected in some way to computer networks. Addressing digital communication system vulnerabilities touches on important privacy and security questions that must be answered. The President began this discussion on cybersecurity by stating:

It is now clear that this cyber-threat is one of the most serious economic and national security challenges we face as a nation. It's also clear that we are not as prepared as we should be as a government or as a country. In recent years some progress has been made at the federal level, but just as we failed in the past to invest in our physical infrastructure: our roads, our bridges, and rails. We failed to invest in the security of our digital infrastructure. No single official oversees cybersecurity policy across the federal government and no single agency has the responsibility or authority to match the scope and scale of the challenge...

The Obama Administration is challenging federal government agencies, large technology companies, corporate America, academics and digital media users to join efforts to secure the Internet and telecommunications systems from every form of cyber-threat or menace.

The goal of the Administration is to pursue a new aggressive and comprehensive approach to cybersecurity that would address all forms of cyber-based threats. The category of threats will include those faced by consumers, corporations, critical infrastructure, and networked local, state, and federal government agencies. Internet or networked computer based communications have moved beyond an option to a necessary tool for a highly interconnected world. The Internet has fundamentally changed the social, cultural, business, political, and educational experiences of people.

The Cyberspace Policy Review set out 10 near-term actions. According the Whitehouse.gov Cybersecurity Factsheet, the Administration has completed or will soon complete all of those items:

Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy. ◊ Complete. Howard A. Schmidt has been appointed as the Cybersecurity Coordinator.
Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCIactivities and, where appropriate, build on its successes. ◊ Complete. The direction and needs highlighted in the Cyberspace Policy Review and previous national cybersecurity strategy are still relevant, and we have updated that strategy on targeted cyber issues, such as identity management and international engagement.
Designate cybersecurity as one of the President’s key management prioritiesand establish performance metrics. ◊ Complete. All senior executives and senior leadership have been informed that cybersecurity is one of the President’s key management priorities for the Federal Government. We have established metrics through the CyberStats program, and we have also worked with the Office of Management and Budget (OMB) to update the Federal Information Security Management Act (FISMA) metrics by which departments and agencies are graded on their cybersecurity. Together, we are shifting the Federal Government’s approach to cybersecurity from a static, paper-based certification and accreditation to a dynamic, relevant process based upon continuous monitoring and risk assessment.
Designate a privacy and civil liberties official to the NSC cybersecurity directorate. ◊ Complete. Our second Director for Privacy and Civil Liberties official joined us from the Federal Trade Commission in December 2010.
Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government. ◊ Complete. We have developed a formal interagency process as we continue to address policy and legal issues. As part of that process, we identified additional authorities that the executive branch needs to fulfill its mission, and we have requested those authorities as part of our legislative package.
Initiate a national public awareness and education campaign to promote cybersecurity. ◊ Complete. We have created the National Initiative for Cybersecurity Education (NICE) with the dual goals of a cyber-savvy citizenry and a cyber-capable workforce, including raising awareness for consumers, enhancing cybersecurity education, and improving the structure, preparation, and training of the cybersecurity workforce. After the 2010 National Cyber Security Awareness Month, DHS launched a year-round national awareness campaign, which has held events around the country.
Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. ◊ Complete. We have finished and will soon release the International Strategy for Cyberspace, which provides a unified foundation for the nation’s international engagement on cyberspace issues.
Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. ◊ Complete. The National Cyber Incident Response Plan (NCIRP) was developed and tested during a national cyber exercise, Cyber Storm III. It is now in the final stages of being updated, based upon our experience using the plan in different cyber exercises.
In collaboration with other EOPentities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. ◊ Complete. The White House Office of Science and Technology Policy has finalized a Cyber Research and Development Framework. Public release of the plan is expected to occur in May 2011.
Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation. ◊ Complete. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was released on April 15, 2011. The Department of Commerce will stand up a program office to coordinate the federal government and private sector in implementing this effort.

Legislative Proposals

The White House proposed cybersecurity legislation in May 2011. According to the White House, the proposed legislation will help safeguard personal data, help protect our national security by addressing threats to critical infrastructure, and help the government protect federal networks while at the same time creating stronger privacy and civil liberties protections. The Whitehouse.gov Fact Sheet on the Proposal highlights the following features of the legislation:

On January 5, 2011, Representative Bennie Thompson (D-MS) sponsored H.R. 174, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. H.R. 174 "seeks to enhance DHS’ cybersecurity capacity by authorizing the DHS Office of Cybersecurity and Communications and creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the (1) .gov domain and (2) critical infrastructure networks, respectively." (Source: Press Release). It was referred to the House Committee of Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has held several hearings on the issue of cybersecurity. On June 24, 2011, the subsommittee held a hearing entitled "Examining the Homeland Security Impact of the Obama Administration’s Cybersecurity Proposal." (http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity). On April 15, 2011, the subcommittee held a hearing entitled “The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure.” On March 16, 2011, the subsommittee held a hearing entitled "Examining the Cyber Threat to Critical Infrastructure and the American Economy."

National Strategy for Trusted Identities in Cyberspace (NSTIC)

One objective of the White House's Cyberspace Policy Review was to develop a national plan for a public secure Internet identification program:

"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."

National Strategy for Trusted Identities in Cyberspace (NSTIC)

Identity Ecosystem

screenshot

EPIC responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:

A complete enumeration of the sources of the problems identified in the draft
A clear plan for privacy protection
A strategy for the protection of private communications by fair information practices
The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
The assurance that Internet users can continue to create, control, and own web content.

EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.

On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.

As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.

For the full NSTIC page, see EPIC: NSTIC

International Strategy for Cyberspace

On May 16, 2011, the White House announced the International Strategy for Cyberspace (ISC). The ISC outlines the United States' approach to cyber issues. The ISC states the goal of a "future for cyberspace that is open, interoperable, secure, and reliable." Policy priorities include:

Department of Commerce's Cybersecurity Policy Framework

On June 8, 2011, The Department of Commerce announced a new policy framework for cybersecurity and businesses online. The Department of Commerce Green Paper proposes voluntary codes of conduct for companies that do business online but are not part of the critical infrastructure sector. The framework makes specific policy recommendations, including:

Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked.
Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing “cyberinsurance” premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth.

The Green Paper was the product of the Internet Policy Task Force. The Department of Commerce launched the Internet Policy Task Force in April 2010. The Department of Commerce is seeking public comment on the Green Paper.