WASHINGTON – The sponsors of comprehensive, bipartisan cybersecurity legislation Friday outlined a number of ways in which their bill will enhance privacy rights and civil liberties.
The Protecting Cyberspace as a National Asset Act of 2010, S.3480 – approved by the Senate Homeland Security and Governmental Affairs Committee June 24 by unanimous voice vote – will help ensure that the American people are protected against a cyber attack that could cause catastrophic damage to public health, safety, and national security.
The Senators – Chairman Joe Lieberman, ID-Conn., Ranking Member Susan Collins, R-Me., and Tom Carper, D-Del., — worked for more than a year to draft a precise and careful bill in consultation with a number of industry and cyber experts, as well as advocates for privacy and civil liberties.
“Our Committee has long been engaged in matters relating to privacy and civil liberties, and we believe that this legislation continues our efforts to secure our nation against all hazards, promote transparency and openness in government, and protect the rights of the American people,” the Senators said in a joint statement. “Stronger cybersecurity will, among other things, significantly improve privacy protections and help safeguard the personally identifiable information of all Americans.”
Highlights of the privacy and civil liberties protections in S.3480 are below. For a full overview please visit the Committee’s website.
National Strategy to Increase the Security and Resilience of Cyberspace: This legislation would create a White House Office of Cyberspace Policy to develop and coordinate federal policy efforts to secure critical cyber networks and assets. This office will have the responsibility of producing a national strategy that, while increasing the security and resiliency of cyberspace, must ensure the protection of privacy and civil liberties. The strategy would be made available to the public in an unclassified form.
Scope: Instead of expansive new authorities relating to cybersecurity, S. 3480 seeks to add precision and focus to complement existing laws. The bill specifies that only systems or assets whose disruption would cause a national or regional catastrophe would be required to meet risk-based security performance requirements developed by the Department of Homeland Security (DHS), in collaboration with the private sector and other affected departments and agencies. Owners or operators who believe their systems or assets were erroneously added to the list of covered critical infrastructure could appeal that decision. To qualify as a national or regional catastrophe, the disruption of the system or asset would have to cause:
• Mass casualties with an extraordinary number of fatalities;
• Severe economic consequences;
• Mass evacuations of prolonged duration; or
• Severe degradation of national security capabilities, including intelligence and defense functions.
The bill prohibits the Secretary of Homeland Security from identifying systems or assets as covered critical infrastructure “based solely on activities protected by the First Amendment of the United States Constitution.”
Preserving Free Speech in Cybersecurity Emergencies: If the government knows an attack that could have catastrophic consequences, this legislation would give the President the authority to implement emergency measures protecting a select group of the most important networks and assets needed to maintain our way of life. Emergency measures under the bill would automatically expire within 30 days. The President could renew the 30-day emergency measures up to three additional times for a maximum of only 120 days and after that Congress would have to approve any extension.
The bill would require that any of these emergency measures to be the “least disruptive means feasible” to secure the covered network, including an examination of the broader impact an emergency measure would have on the overall national information infrastructure. This section also specifically requires that the privacy and civil liberties of the American people are protected during these emergency periods. The owners and operators of these critical systems and assets also could propose alternative security measures to defend their networks, and implement them in lieu of directed emergency measures with the approval of the National Center for Cybersecurity and Communications (NCCC). The bill does not authorize any new surveillance authorities or permit the government to “take over” private networks.
Information Sharing and Privacy: A key goal of the bill is to increase information sharing to better respond to threats. The bill specifies that information sharing shall not lead to the disclosure of Personally Identifiable Information (PII). This includes a requirement that incident reports include appropriate mechanisms to protect PII. The bill would require the NCCC Director to develop specific guidelines to protect the privacy and civil liberties of people living in the United States, in conjunction with the privacy officer of the NCCC.
Transparency: Transparency is vitally important for increased cyber security. To be successful, more information must be shared about threats and the government’s efforts to defend against those threats. DHS, as a civilian agency, must be the lead for cybersecurity, and the Director of the White House Office of Cyberspace policy must be accountable to the public, and therefore confirmed by the Senate. DHS also has worked to provide security clearances to civil liberties and privacy advocates from around the country who will continue to ensure that civil liberties and privacy protections are included every step of the way.
Some additional privacy and civil liberty provisions of the bill include:
• Numerous requirements for consultation with the Privacy and Civil Liberties Oversight Board and the Information Security and Privacy Advisory Board within the White House, DHS, and other federal agencies.
• The creation of a full-time privacy officer within NCCC to consult on cyber security matters within DHS.
• An Office of Management and Budget review of existing policies relating to current privacy requirements for the federal government.
• A required report on US-CERT’s activities relating to privacy in an unclassified form to allow it to be shared widely.
• An opportunity for the public to comment and suggest improvements to the policy and operations of the NCCC.