Civil liberties groups: Proposed cybersecurity bill is too broad
Lack of clear definitions regarding who can monitor threats, what countermeasures are allowed, and what constitutes a "crime" has civil liberties groups worried.
The cybersecurity bill introduced last week in the Senate is too broad, say privacy experts who worry that it could authorize wiretapping and curtail civil liberties.
The Cybersecurity Act of 2012,by Sens. Joe Lieberman (I-Connecticut), John D. Rockefeller IV (D-West Virginia), Susan Collins (R-Maine), and Dianne Feinstein (D-California), is designed to protect the nation's critical infrastructure, which provides vital services such as water, energy, and transportation. It calls on the Department of Homeland Security to work with network operators to develop security standards, a provision that Republican lawmakers, including Sen. John McCain (R-Arizona), object to on the grounds that government regulation will hinder innovation.
But representatives from the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center have other concerns about the proposed legislation.
A provision governing disclosure of information to law enforcement says a "cybersecurity exchange that is a Federal entity may disclose cybersecurity threat indicators" if "the information appears to relate to a crime which has been, is being, or is about to be committed."
But there is no definition of "crime."
"We do have some serious concerns about this language," said Amie Stepanovich, counsel for the Electronic Privacy Information Center (EPIC). "The bill would, essentially, allow the government to flag any activity which may indicate a potential crime. The bill does not specify any type of crime, or even if it has to be a felony or a misdemeanor."
Lee Tien, senior staff attorney at the Electronic Frontier Foundation, said he was worried that the statute did not make clear exactly who could monitor systems and what "countermeasures" would be permitted to stop a cybersecurity incident--that the bill could turn into a new version of "warrantless wiretapping."
The measure gives authority for monitoring and defending against cybersecurity threats to "any private entity."
"It says any 'private entity' can do this. Not just providers of telecom service" or other legitimate parties, Tien said. "Under this bill, because your e-mail is transiting their system then they can keep a copy of it and analyze it for cybersecurity purposes."
And the definitions are "fuzzy" so it's also unclear what is allowed or disallowed under "countermeasures," he said.
"If my packets pass through your router on the way to someplace else, this would seem to say [you] have the broad authority to modify or even block those data packets without regard to any of the big five telecoms laws so long as [you], in good faith, believe [you're] protecting [your] system from a cybersecurity threat," Tien said. "All of that is very broad."
In other words, monitoring is completely immune from any laws, he said. "Merely restricting who can monitor doesn't limit what they can monitor," he added. "There's no accountability or liability."
The loose language and potential for broad interpretation could allow companies to use the countermeasures provision to take actions to protect copyright or block digital rights management circumvention, he said. Meanwhile, including "technical vulnerability" and "method of defeating an operational control" as possible definitions for "cybersecurity threat indicator" could put legitimate security research at risk, he added.
However, a critical infrastructure security expert dismissed concerns that the bill could be used to authorize warrantless wiretapping and said minor wording changes to the measure could solve the problems EPIC and EFF have brought up. For example, the language "any private entity" can be restricted to "critical infrastructure operator," while "countermeasures" could be limited to specific cybersecurity threats.
"Americans shouldn't have to worry about their civil liberties being trampled if we can constrain the scope and the definition of critical infrastructure assets" covered in the bill, said Jesse Hurley, chairman of the critical infrastructure committee at the North American Energy Standards Board and CEO of Shift Systems, which was awarded the first license to operate the public key infrastructure for the wholesale electric grid in the U.S.
"It's the first time that privacy organizations have been really powerfully recognized in legislation by being invited to consult on federal regulations, and that is an amazing novel step in protecting traditional American freedoms," he added.