Experts testifying at a hearing in front of the House of Representatives' Subcommittee on Intellectual Property, Competition and the Internet criticized the White House's plan for domestic cybersecurity, saying that as it stands, the plan could hand over too much power to the government, as well potentially opening the door to major privacy violations.
The proposal would give the government new authority to access private data, bypassing previous legal limits, according to Leslie Harris of the Center for Democracy and Technology, who said that the plan "simply sweeps away all of these laws in favor of this broad information sharing."
The plan asks that private organizations share information about security breaches with the government, and promises immunity when sharing such information. Though the kinds of information that can be shared are limited to matters of cybersecurity, Representative Melvin Watt said that the policy reminded him of the immunity granted telecom companies following the government's wiretapping program post-9/11.
"These companies could then do something that's unconstitutional just because you say it's not," he said. "People get very uncomfortable with the idea that the government can just call up someone, demand information, and then provide them immunity."
And, though information sharing is technically voluntary, Representative Darrell Issa remained skeptical that private companies would not bow to governmental pressure if pushed.
"Your asking for cooperation with the force of your ability to make life miserable on private-sector companies behind closed doors is not a voluntary act," he said. "You can be very, very convincing."
Experts also pointed out that the plan gives the Department of Homeland Security an unprecedented level of power. The proposal puts the DHS's responsibility to protect federal civilian networks on the same level as the Department of Defense's aim to protect U.S. military networks, solidifying its authority to act in such a role.
Philip R. Reitinger, deputy undersecretary for the DHS National Protection and Programs Directorate, said that the proposal "strengthens DHS's role to deploy more rapidly intrusion protection, intrusion prevention, and other mechanisms for the federal government."
But others worried that handing over such control to the DHS would have the potential to stifle private industry, harming economic innovation.
"The president's plan gives the Department of Homeland Security unfettered authority to regulate private industry," said Representative Bob Goodlatte. "Do the American people really want their regulatory agencies turned into quasi-fiefdoms? Regulatory mandates are unlikely to [lead to] private-sector cybersecurity improvements and will likely hinder economic growth"
Part of the problem, experts agreed, was that the plan might not draw adequate distinctions between military government systems, civilian government systems, and those owned and operated by the private sector.
"Government monitoring of private-to-private communications likely will not occur through the front door," Harris, of the CDT, said. "Rather, there is a possibility that government monitoring would arise as an indirect result of information-sharing between the private and public sectors, or as an unintended byproduct of programs put in place to monitor communications to or from the government."