Crossroads Blog | CYBER SECURITY LAW AND POLICY

Criticism, Legislation, Privacy

Concerns About the Cyber Security Act Of 2012

Last week, Senate Democrats released their proposed cybersecurity legislation: The Cyber Security Act of 2012 (CSA).  You can get some background on the CSA here, but the basic idea is that DHS would regulate critical infrastructure.  Of course, the CSA immediately ran up against Republican opposition, with Sen. McCain promising to offer an alternative bill that gives the NSA more power.  Beyond Republican opposition, civil liberties groups have raised concerns that the CSA is too broad . . .

***

On Feb. 23rd, 2012, Elinor Mills wrote for CNet on concerns that the CSA could curtail civil liberties.  Notably, civil liberties groups have honed in on the CSA's information sharing provisions.  Those provisions would allow for threat information sharing between the US government and the private sector.  The specific provision in question, according to CNet, would allow "a Federal entity" to "disclose cybersecurity threat indicators" if "the information appears to relate to a crime which has been, is being, or is about to be committed."

What's the concern?  The article noted that the language doesn't define "crime."  This, according to counsel for the Electronic Privacy Information Center, may "allow the government to flag any activity which may indicate a potential crime." 

Moreover, the CNet article quoted a senior staff attorney from the Electronic Frontier Foundation; he expressed concern that "the bill could turn into a new version of 'warrantless wiretapping.'"  When the CSA allows for any private entity to defend against cybersecurity threats, then any private entity could read citizen's e-mails transiting their servers.  The big point is that CSA may allow for monitoring of private citizens without "accountability or liability."   

On the other hand, the article mentioned one critical infrastructure expert who believes these concerns are overblown.  That expert argued that minor wording changes within the bill could solve all of these problems.

You can find the CNet article here.

***

To provide the opposite view:

On Feb. 22nd, 2012, Gus P. Coldebella (former acting GC, DHS) wrote for The Hill that the CSA subjects private entities to too much legal liability.  Again, the basic idea is that private entities share cyber threat information with the federal government without fear of legal liability.  In exchange, these private entities get what Coldebella refers to as the "secret sauce": "intelligence and law enforcement information."  However, in regard to information sharing, Coldebella argued that the CSA doesn't do enough to protect private entities from legal liability.

Now, the CSA does have a provision that protects private entities from legal liability: "[The CSA] even purports to eliminate any criminal or civil causes of action arising from authorized monitoring, defending, or sharing." 

However, Coldebella points out another provision that allows for civil claims in the event an entity does not use “reasonable efforts to safeguard communications, records, system traffic, or other information that can be used to identify specific persons.”  This provision is rife with ambiguities ("What's reasonable? And who decides?") and could potentially undo the liability protections the CSA affords.

You can find The Hill article here.

Leave a Reply