As Congress moves to take up the complex issues of cybersecurity, the National Security Agency is gaining traction in its aggressive campaign to secure statutory authority to monitor private computer networks in real time to prevent cyber attacks.
The Washington Post reports, that the NSA's quest to lead cybersecurity efforts on private civilian networks has been rebuffed so far by the White House and the Justice Department because of privacy concerns over the specter of 24/7 military surveillance of Americans' online activity.
But last week, Sen. John McCain (R-AZ) and a group of Republican Senators introduced the SECURE-IT Act (S. 2151) which gives the NSA some of what it wanted, a NSA led surveillance program, albeit by another name.
The bill doesn't expressly authorize the NSA to oversee private computer networks, and in many respects is less regulatory than the Lieberman-Collins bill (S. 2105). But the devilish details matter and the details that matter here can be found in the information sharing provisions.
Congress has been considering information sharing proposals for years. There's broad consensus that the private sector should be permitted to share some types of information about cyber attacks with other entities so that the recipients of this information can protect themselves from similar attacks. In some cases, it is also appropriate for that information to go to the government, and likewise, it's appropriate for the government to share cyber attack information it sees on its networks with the private sector.
The key questions in all the information sharing provisions in all the pending cybersecurity bills are what information are we talking about, who is permitted or authorized to share with whom, and for what purposes can this information be shared and used? While the Lieberman-Collins bill wrongly permits the NSA to become the center of cybersecurity information sharing in the government, it wisely prohibits the use of cyber threat indicators for intelligence surveillance purposes. The SECURE-IT Act authorizes sharing that goes well beyond what is truly necessary to describe a cyber threat or to engage in self-defense and includes anything that would foster "situational awareness of the United States security posture." That information need not be shared for a cybersecurity purpose and may be directly shared with a range of intelligence and defense agencies, including the NSA. Unlike the Lieberman-Collins bill, SECURE-IT permits the information to be used for any national security purpose.
A great deal of personal information could fit the bill of fostering "situational awareness" and the bill permits private sector companies to share all of it unless disclosure is prohibited by law. This is breathtakingly broad. The way to prevent cybersecurity information sharing from becoming a backdoor surveillance program is to require that cyber threat information shared for cybersecurity purposes be only used for cybersecurity purposes.
What could be shared under the Republican bill? How about images from the drones that the FAA will soon be licensing to conduct private surveillance in the U.S., and the surveillance footage of vehicular traffic on major arteries and of people entering sensitive locations, sports stadiums and airports? Surely this information could foster "situational awareness" of the United States security posture. So, too, would records of certain purchases. Permitting private sector entities to share this information with a military intelligence agency created primarily to conduct surveillance abroad and in great secrecy puts civil liberties at risk and serves no cybersecurity purpose.
The private sector has strong capabilities and incentives to defend its own systems. The NSA can help as it currently does by providing intelligence about cyber threats, but the flow of communications information to NSA must be strictly limited and its use of that information carefully controlled. Without these limits and controls, cybersecurity information sharing becomes a sub rosa, surveillance program, and a major encroachment on our civil liberties.