Seeking to bolster 'cybersecurity,' Congress sparks privacy concerns
This article first appeared in the St. Louis Beacon, April 30, 2012 - WASHINGTON – Every year, they vie for the title of “most conservative” member of Congress from Missouri. But U.S. Reps. Todd Akin and Blaine Luetkemeyer came down on opposite sides when the House voted Thursday to approve a bill to make it easier for companies to share information with the government about the threats facing their cyber networks.
Akin, R-Wildwood, voted against the bill – the Cyber Intelligence Sharing and Protection (CISPA) act – because he felt it did not tackle cyber-threats “in a way that protects the privacy of American citizens.” But Luetkemeyer, R-St. Elizabeth, voted yes, asserting that it “ensures the privacy protections guaranteed by the Fourth Amendment to the Constitution and prevents the inappropriate disclosure of personal information to the public.”
That split – which aligned Akin on this vote with Missouri’s House Democrats and Luetkemeyer with the state’s GOP members other than Rep. Jo Ann Emerson, R-Cape Girardeau – illustrates the unusual politics of the cybersecurity-versus-privacy debate that is threatening to impede progress on the legislation in Congress.
In Thursday’s vote, 206 Republicans and 42 Democrats voted for the bill, while 28 GOP members and 140 Democrats voted no. In Illinois, Rep. Jerry Costello, D-Belleville, voted no while Rep. John Shimkus, R-Collinsville, voted yes.
Few lawmakers would argue with the premise that more needs to be done to protect the nation’s vital information systems and critical infrastructure from cyberattack. President Barack Obama and leading congressional Democrats advocate some sort of cybersecurity approach, as do GOP leaders.
The sticking point, though, is how to do that without interfering with the privacy and civil liberties of U.S. citizens. Obama’s administration opposed the House bill of because such concerns, threatening a veto because such legislation would repeal “important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality and civil liberties safeguards.”
Emerson, Akin differ from Luetkemeyer and Long
While they are no friends of the White House, both Emerson and Akin expressed concerns about the privacy issues raised by the House bill.
“Privacy concerns are a very serious consideration any time access to databases is being shared between private industry and the government, or vice-versa,” Emerson said Friday, adding that there are “serious questions about the bill's effectiveness.”
In a statement, Emerson said “we have to get at the substantive question of equipping law enforcement with the tools to protect companies, consumers and private citizens from hackers and cyber-threats, but we have to be especially concerned about any possible erosion of our civil liberties.”
For his part, Akin tried to offer an amendment – which the Rules Committee did not allow – that would have barred private companies from sharing with the government personally identifiable information of users or customers without a court order or express written consent.
“Cyber threats are real," Akin said, "but we should not respond to these threats in a way that may violate the Fourth Amendment rights of Americans. The government has enough private information about American citizens — they should not be allowed to get more without a court order or the consent of the particular citizen.”
But Luetkemeyer and Rep. Billy Long, R-Springfield, said they were satisfied that amendments to the House bill provide adequate protection for individual privacy.
Contending that it is “imperative that steps are taken to protect families and businesses from cyber theft,” Long said the House bill protects privacy because it requires an independent inspector general audit of any voluntary information shared with the government and places a restriction on the government’s ability to search that information for issues unrelated to cybersecurity.
Luetkemeyer said in a statement that the House bill has “numerous safeguards” to protect Fourth Amendment rights.
He said the House approach “does not allow the government to monitor private networks, limits the federal government’s use of the information voluntarily provided, restricts the government’s ability to search the data for anything unrelated to cybersecurity, exempts the information from disclosure under Freedom of Information Act, treats the information as proprietary and prohibits the data’s use in regulatory proceedings.”
Pointing out that U.S. companies are expected to spend an estimated $130 billion to fix or defend against data breaches, Luetkemeyer said the House bill would give the government the authority to “safely share classified cybersecurity intelligence information with the private sector and the private sector to voluntarily share cybersecurity information with other private entities and the federal government.”
Without action to bolster cybersecurity, Luetkemeyer warned, vital network information would be “vulnerable to hackers, terrorists and foreign nations like China.”
On Friday, the House approved two other, far less controversial, bills related to cybersecurity:
- A "cybersecurity enhancement" bill to better coordinate federal research and development on cybersecurity, and establish a program for training federal cybersecurity experts. It also authorizes the National Institute of Standards and Technology to establish security standards for the federal government's computer systems. The bill passed by a vote of 395-10.
- The "Advancing America's Networking and Information Technology Research and Development Act," which would update a 1991 high-performance computing law. Provisions include redirecting research goals to reflect new technologies and breakthroughs or techniques for analyzing large sets of data. The bill also would establish a program to find gaps in cloud computing research.
Does the bill protect “critical infrastructure” networks?
Other than privacy concerns, another major objection to the House bill – which tends to focus mainly on the intelligence aspects of cybersecurity – is that it would not mandate new security requirements for what experts call the “critical infrastructure network” – the networks of electric grids, water systems and transportation.
The main Senate bill, sponsored by Sens. Joseph Lieberman, D-Conn., and Susan Collins, R-Maine, -- the Cybersecurity Act of 2012 -- would do so, proponents say. Its approach is backed by the Obama administration.
Lieberman and other sponsors of the Senate bill criticized the House’s approach, noting that it does not tackle the critical infrastructure problem and asserting that it "ignores the advice of our intelligence community, our national and homeland security leaders, as well as a number of prominent Republicans.”
But some major tech industry companies have expressed concerns that the Lieberman approach would impose nagging new requirements on private firms as well as utilities. They tend to prefer the House bill or a Senate alternative advocated by Sen. John McCain, R-Ariz., and others.
“The president wants the government to set the standards and to write the law for what cybersecurity’s going to look like,” said House Speaker John Boehner, R-Ohio, warning about government interference in Internet communications.
“You want to get the American people a little exercised, put the government in charge of the Internet.”
In its message threatening a veto of the House bill, the White House opened the door to a possible compromise later. “The administration looks forward to continuing to engage with the Congress in a bipartisan, bicameral fashion to enact cybersecurity legislation to address these critical issues," said the statement from the Office of Management and Budget.
But the Senate legislation has stalled in recent weeks, in part because of turf battles among the committees with jurisdiction. Sen. Roy Blunt, R-Mo., a member of the Senate Intelligence Committee, has said he wants a strong cybersecurity bill this year, but has not yet commented directly on the House-passed bill.
Complaining that “the votes aren’t there” to pass a strong cybersecurity bill in the Senate, a prime sponsor of the House bill – Rep. Dutch Ruppersberger, D-Md., the ranking Democrat on the intelligence committee – told reporters that the House legislation is the best vehicle available right now.
“We need to protect our country today,” he said. “We’re being attacked as we speak. [The House bill] is the only mechanism to move forward."