Internet privacy expert and president and CEO of the Center for Democracy & Technology, Leslie Harris, gave The New New Internet her thoughts on the current administration’s plan to improve US cybersecurity. Harris was pleased with President Obama’s collaboration with civil liberty advocates and the private sector on the White House 60-Day review and hopes the partnership will continue. Yet Harris is also paying close attention to the privacy issues of NSA’s Einstein 3 project and the Cybersecurity Act of 2009. Harris hopes the Obama administration will continue to seek advice from privacy advocates and noted that not all cybersecurity solutions can fit under one broad law.
The New New Internet: What is the balance between American civil liberties, national security, and private networks as it relates to cyber security?
Leslie: The private networks that make up the Internet are our most critical infrastructure for free expression in politics and the principal way that Americans communicate with each other and obtain information. These are all highly protected constitutional activities, so it is not a question of what is the right balance. It's a question of considering solutions in the context of an environment that has high constitutional protection and where the rights of citizens are particularly at stake. We should start thinking about cyber security in less sweeping terms. You have to think about the solutions that might be appropriate in one environment–such as a water system, a power grid or banking system–those environments are not going to be appropriate in another. Having to identify and authenticate yourself to access a power grid network may be appropriate but the same requirements should not be broadly applied to the Internet. We are concerned that there is a tendency to treat the diverse elements that comprise so-called critical infrastructure as one, undifferentiated thing and to therefore to treat all these diverse elements the same when it comes to cybersecurity.
The New New Internet: What is your organizations view on President Obama's 60-Day Cyberspace Review and the cyber coordinator announcement?
Leslie: We were very pleased with the sixty-day review and how transparent the process was. The review team met with privacy advocates to explain the scope of the review and to solicit input. We were generally pleased with the report and the commitments that the President made, particularly the commitment that the government would not be involved in any kind of direct monitoring of private, civilian networks. We're pleased that the report emphasizes the importance of public/private partnerships rather than putting the federal government in charge of all solutions. We don't want to see the government imposing complex and perhaps unworkable solutions on the Internet. Overall, the plan is a first step. It doesn't include any mandates that we would think are inappropriate; however, there is a lot that remains to be written. Whoever ultimately runs the cyber security program is going to be critically important as to whether or not the privacy commitments that are laid out in the report are fully developed.
The New New Internet: The Department of Defense just came out with the new cyber command center headed by NSA. Do you think that is a good idea?
Leslie: A cyber command center set up to protect our defense networks is critical and entirely appropriate. I am concerned that at least according to the press reports I’ve seen, there is a lack of clarity as to how involved that set of players is going to be in cybersecurity efforts involving other government networks and private networks. There was certainly some ambiguity in Gates' statement about involvement of NSA and others in the defense of private networks. I recognize that given how data flows that there are going to be times when it is hard to separate communications that are in the private infrastructure from those in the public infrastructure; however, from our perspective the possibility of getting the NSA involved in monitoring or directly being involved in the private infrastructure is very chilling. How this new DoD cyber command center is going to interact with the President's overall plan“”and what role, if any they would play with the Department of Homeland Security in private network protection, is a big concern for us.
The United States shouldn’t be seen as taking the lead in explicitly giving a President that power; if that were the case, what would our position have been had Iran shut down the Internet during the recent protests there over the presidential election? It has not only civil liberties implications to the United States but also has global implications.
The New New Internet: What is your view of Capital Hill's perspective on cyber security as it relates to civil liberties?
Leslie: We obviously have concerns about the Rockefeller Bill and some of its provisions. First and foremost we have a concern about the provision of the bill that seems to give the President unfettered power to shut down critical infrastructure, including the Internet. I consider that a bit dangerous and unnecessary and am strongly opposed to that as a civil liberties matter. The United States shouldn’t be seen as taking the lead in explicitly giving a President that power; if that were the case, what would our position have been had Iran shut down the Internet during the recent protests there over the presidential election? It has not only civil liberties implications to the United States but also has global implications. I think there is a legitimate concern behind that provision that if we were to face a cyber Katrina, the lines of authority for responding are unclear. Who is in charge and what is the response plan. If that is the real concern, then perhaps the answer is for each part of the critical infrastructure to coordinate with the government and have a doomsday plan worked out and put in place.
We're also strongly opposed to the provision in the Rockefeller Bill that would give the Commerce Department the power ““ absolute power“”to acquire any information from any part of the critical infrastructure notwithstanding the limits set out in any other law; so in some ways it is giving the Department of Commerce more power to obtain information from networks than the FBI would have in a counterintelligence investigation. Again, if the goal is to encourage more information sharing, then lets do that without violating civil liberties. Security and liberty don't have to be at odds.
The New New Internet: What is the most important thing folk should think about as they read about what the Administration is doing in terms of cyber security?
Leslie: We are going to be looking to see how they turn their commitments about privacy into reality. The report makes really strong commitments about integrating privacy into just about every aspect of the plan. For example, the report endorses identity management, solutions for high value systems in order to build trust for online transactions. It is going to be really important from a privacy perspective to see what that actually means. Does that mean developing stronger identity in authentication in banking or does it mean having an Internet where everybody is identified and there is no anonymity? Those are two different approaches to anonymity. I believe the President's report intends to incorporate the second approach, which is a careful, strategic use of identity management in high value situations where it is particularly important and to reject the view that has been expressed by some cyber security experts that we shouldn't have anonymity, and we should be able to identify everybody online. That would be a tsunami with respect to how the Internet operates today. I think that is an important thing to watch.