President Barack Obama signed a new cybersecurity executive order that gives him ultimate control over information gathered for the purposes of protecting it against nefarious individuals or groups. This has caused a ripple of concern among cybersecurity firms that could grow into a tsunami should the new legislation go forward.
On April 18, 2013, the U.S. House of Representatives passed The Cyber Intelligence Sharing and Protection Act by a vote of 288-127, despite a White House veto threat. The U.S. Senate declined to take up the bill and so it never became law.
An existing cybersecurity bill, known officially as H.R. 3523, would allow the various Federal agencies to still use information for "any lawful purpose" so long as “a significant purpose" of its use is deemed to be either a cybersecurity or a national security purpose.
James Robertson, a former federal and Foreign Intelligence Service court judge testified at a congressional hearing that this "significant purpose" limitation is really “meaningless.”
Photo Credit: Shutterstock
The Patriot Act inserted this language into our foreign intelligence surveillance laws, and since then, in Judge Robertson's words, they have a "hole you could drive a truck through."
Fast-forward to January 2015, cybersecurity legislation has been revived by Congressmen C. A. “Dutch” Ruppersberger (D-Md.), and Mike Rogers (R-Mich.), the bill’s original sponsors.
Democrats are citing the SONY hack as a legitimate reason for reintroducing the bill. "We must stop dealing with cyber-attacks after the fact," Ruppersberger said in a statement. He said the bill aimed to stop cyberattacks in real-time and enable authorities to trace back to the source of the attack.
Tom Bossert, a former deputy assistant to the president on homeland security claims the real strength of the legislation will be its ability to incentivize companies to share threat data and avoid negligence litigation as a result.
The Obama administration has expressed concerns regarding the authorization for businesses to use "certain potentially disruptive measures" to respond to cyber-attacks in the Protecting Cyber Networks Act.
"The use of defensive measures without appropriate safeguards raises significant legal, policy and diplomatic concerns and can have a direct deleterious impact on information systems and undermine cybersecurity," the act states.
The language being inserted into the existing cyber security legislation contains a new section (2, (d) (1)) that may actually hold the U.S. government somewhat liable for penalties: “With respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of the actual damages sustained by the person as a result of the violation or $1,000, whichever is greater.”
There are many questions about these so called “cracks” in the law that would expose businesses to liability law suits.
It seems to me there should be a clearing house or specially appointed panel representative of all stake-holders in order to get this right. Unfortunately, legislators have taken it upon themselves to try and fanagle a law that addresses all concerns but solves none of them.
Recently, the House Energy and Commerce Committee approved H.R. 1770. The bill was written by Rep. Marsha Blackburn (R-Tenn.) and Rep. Peter Welch (D-Vt.). Its stated goal is to "replace the current patchwork of laws with a single, national standard for protection and notification."
In this June 6, 2013 file photo, a sign stands outside the National Security Agency (NSA) campus in Fort Meade, Md. (AP Photo/Patrick Semansky, File)
"It's imperative that we take action to prevent hackers' success and provide safeguards to consumers to protect their virtual selves if and when their data is compromised," Blackburn said after the legislation was introduced in March.
On April 22, the House of Representatives voted 307-116 to pass the Protecting Cyber Networks Act, Robyn Greene, policy counsel for the Open Technology Institute said, “This is little more than a backdoor for general purpose surveillance.”
“PCNA would significantly increase the National Security Agency’s access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity,” reads a letter signed earlier last month by 55 civil liberties groups and security experts that includes the American Civil Liberties Union, the Electronic Frontier Foundation, the Freedom of the Press Foundation, Human Rights Watch and many others.
The American Civil Liberties Union just won a battle in the ant-Patriot Act war when a three judge panel in the Second Circut U.S. Court of Appeals struck down the legality of the NSA's metadata collection. If not appealed to a higher court, this could lead to an end of the government's bulk data collection of American phone records.
Here are the FIVE cyber security bills and their overlapping basic details. Clearly no one can make up their mind except those whom the legislation would affect negatively, namely cybersecurity firms. Since we don't have an overall government umbrella organization responsible for all cyber activity, our private sector drives a large portion of the cutting edge cybersecurity.
“The newly amended version of the re-introduced cybersecurity legislation still grants nearly unlimited authority to the Department of Homeland Security, the Department of Defense, and the National Security Agency, among others,” says military family owned cybersecurity firm Recon Secure Computing CEO, Tamara Davis.
Tamara continues, “The broadly-worded, and deliberately vague language of the bill, which imposes its standards above ‘any other provision of law,’ would override privacy contracts between companies and their customers. While it removes any liability for such private information being shared by companies, it throws open the door for customers’ rights to privacy to be abused.”
Tamara says, “Most importantly, the key words to this newly-amended legislation being proposed include ’unless otherwise directed by the President’ (2(b)(3)(C)(iv)(II)) text. Whenever such blanket statements are made regarding any existing legislation the entire legislation can be rendered meaningless. The realities of this proposed legislation are such that the heightened fears of the private sector are growing larger.”
Along with her husband, Jesse, a former Air Force security non-commissioned officer and private sector security software architect, the Davis family has created a state-of-the-art cybersecurity firm.
Tamara explains, “Recon Secure Computing would definitely be affected [by the legislation should it pass] not so much due to the legislation itself, but potentially through the exposure to unlimited government interference because of the presidential discretion clause.”
Tamara says that, “With this poison pill quietly tucked into it, the Cyber Intelligence Sharing and Protection Act effectively becomes a Trojan horse. Under the guise of giving more protections, it is in our opinion, stripping those very protections away.”
Providing a framework used by public and private corporations to fight cyber threats is not a bad thing,” Tamara continues. “However, providing a framework that mandates the sharing of private and proprietary data used to produce that cyber security information is certainly a very bad thing.”
The fear among cyber security firms like Recon Secure Computing is that this Federal data-takeover will forever remain unresolved, which means the sharing of privately gathered cyber-threat intelligence is doomed to fail. Once again, medling governmental do-gooders seem overmatched.
Tamara concludes, “As President Reagan so famously stated, ‘The most terrifying words in the English language are, ‘I’m from the government and I’m here to help.’”
Montgomery Granger is a three-times mobilized U.S. Army major (Ret.) and author of "Saving Grace at Guantanamo Bay: A Memoir of a Citizen Warrior." Amazon, Blog, Facebook, Linked-In, Twitter: @mjgranger1
TheBlaze contributor channel supports an open discourse on a range of views. The opinions expressed in this channel are solely those of each individual author.