As highlighted in his State of the Union address, on Tuesday night President Obama signed a new Executive Order (EO) aimed at bolstering the cybersecurity of critical infrastructure. While focusing primarily on methods for increased information sharing between the U.S. government and private corporations, the Executive Order includes important protections for individual privacy and civil liberties that AALL welcomes into the conversation on cybersecurity.
Though much attention was paid to cybersecurity in the 112th Congress, little progress was made. The Cyber Intelligence and Sharing Protection Act (CISPA) passed the House and stalled in the Senate over serious concerns over Internet privacy. Congress further deadlocked over whether to give chief authority to the Department of Homeland Security (DHS), a civilian agency, or the National Security Agency (NSA), a military agency.
Though similar to CISPA in its goals, the Executive Order’s focus on individual privacy and civil liberties make it a vast improvement over the proposed legislation. Section 4 of the Executive Order sets out cybersecurity information sharing practices that direct agencies to share the information they already lawfully collect with companies. The Attorney General, Director of National Intelligence, and Secretary of Homeland Security are tasked with creating a system to share threat information to critical infrastructure owners and operators. But unlike CISPA, the EO includes necessary protections about the flow of information (emphasis added):
Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.
(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.
(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).
(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.
The EO counters concerns about making information sharing too easy by directing the Department of Homeland Security, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Office of Management and Budget to evaluate current interagency information sharing. Agencies will in turn be held accountable to the Fair Information Practice Principles, which set rights and responsibilities in the collection and use of personal data like transparency and choice. While PCLOB will certainly require increased staff and funding to complete this assignment, this task gives the board an important and fitting role in cybersecurity.
On Wednesday, Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), reintroduced CISPA (H.R. 624) in the same privacy-threatening form in which it appeared in 2012. While the legislation is cause for concern, Tuesday’s Executive Order is a clear signal that the White House supports strong privacy and civil liberties protections in its cybersecurity policy. It remains to be seen if CISPA’s supporters will find compromise with the administration, but it is clear cybersecurity will be high-profile issue again this year.