Finding Common Ground on Privacy Protections in Cybersecurity
There has been a lot of focus in the cybersecurity debate about the cyber threat information sharing approach in the bipartisan Rogers-Ruppersberger bill and concerns about the privacy protections in the legislation. That’s why ITI and a number of our member companies have been talking at length with the Center for Democracy and Technology (CDT) to try to find common ground that addresses privacy groups’ concerns while moving ahead with cybersecurity protections.
What we all want to achieve is a cybersecurity structure that protects Americans and America. A number of reports chronicle the reality we face:
- 14 victims/second: Every second 14 adults become a victim of cybercrime, resulting in more than one million cybercrime victims every day -- Norton 2011 Cybercrime Report.
- Crimes on the rise: The average daily volume of Web-based intrusions observed in 2010 was 93 percent higher than in 2009 – Symantec Internet Security Threat Report, Volume 16.
- It’s personal: 95 percent of all the data compromised by cyber intrusion were of personal information – names, addresses, Social Security numbers, and so on – Verizon 2012 Data Breach Investigations Report.
These data – and plenty more – point to the simple fact that cybersecurity equals personal security, and what’s in place right now needs to be strengthened. We need a new approach that is fast, flexible, and forward-thinking, that protects the American people in a more effective way. That said, none of us wants to see individual privacy cast aside in a well-intentioned effort to stop cyber threats.
Which brings us back to our efforts with the CDT. Its staff has championed the effort to strengthen the privacy protections in the legislation. Equally, the staffs of Chairman Mike Rogers and Ranking Member “Dutch” Ruppersberger have taken significant steps to work with CDT and other stakeholders on this legislation. The result is real progress in the bill to safeguard individuals’ information while allowing for a cyber threat information sharing system to help protect all of us online.
Improvements in the current version of the bill include:
- Recipients of cyber threat information many only disclose that intelligence to a certified entity or appropriate part of the federal government;
- The federal government may only use shared cyber threat information if at least one significant purpose is for cybersecurity or national security protection; and
- The Inspector General of the Intelligence Community must issue an annual report reviewing the use of cybersecurity threat information and develop metrics to determine the impact on privacy and civil liberties.
Another important part of the bill safeguards individual privacy from government agencies so that personal data are not exploited. A company that shares information voluntarily with the federal government can place tough restrictions on the data, including who can use the information and how it is used. Irrelevant user experience and history, transactions, and personal information would be shielded. This is spelled out plainly in the legislation (section 1104 (b) (3) (A)).
The bipartisan cybersecurity bill, H.R. 3523, has been equated to SOPA. It’s a false comparison. The two bills are not nearly alike in scope, purpose, or practice. SOPA would have fundamentally altered the relationship between Internet users and the companies that provide online access and services; H.R. 3523 does not. This legislation shields users and the sites and systems that we all utilize every day. SOPA and PIPA were mostly about protecting copyrighted works of entertainment, such as movies and music. Under the bipartisan Rogers legislation, the big winners will be ordinary consumers who utilize the Internet to improve their everyday lives.
We fully respect the efforts that CDT and other like-minded organizations have put forward on this legislation, and we will continue to work with them to find additional ways to protect individual privacy. But, likewise, we fully support Rogers-Ruppersberger. The bill establishes an innovative cyber threat information sharing system as an essential part of a modern cybersecurity defense. This system would give security experts the tools they need to anticipate and identify threats quickly, move to stop them, and take immediate steps to shield people’s personal information from the criminal.
We want to work together to protect people, networks, and our country from cyber intrusion.
As the debate moves to the full House next week, we will continue to work with Chairman Rogers, Ranking Member Ruppersberger, CDT, and others to shape final legislation that will protect America from cyber threats and shield Americans from cyber abuse.