President Barack Obama’s executive order on cybersecurity is aimed at reducing threats to the nation’s critical infrastructure in part by getting the government and the private sector to share more threat-related information. But the order also calls on agencies to be aware of the need to protect privacy and civil liberties when sharing data on individuals.
One aspect of the executive order under close inspection by privacy advocates is the cybersecurity framework being developed for critical infrastructure, which is designed to “to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The National Institute of Standards and Technology (NIST), part of the Department of Commerce, was tasked by the executive order to develop that framework of voluntary best practices.
One group particularly concerned about how the framework will deal with privacy is the Electronic Privacy Information Center (EPIC), a Washington-based research group. Jeramie Scott, a national security fellow at EPIC, helped author the center’s public comments to NIST. He emphasizes that the average citizen, and not just those in the private sector, should be concerned about what comes out of the framework when it comes to privacy. “Cybersecurity is something that affects everyone; most people use the Internet in one fashion or another, and when we’re talking about cybersecurity, to a large extent, that’s what we’re talking about,” he says. “Everyone should be concerned about [privacy] or interested in knowing exactly what the government is doing with information they’re collecting, what they are monitoring.”
Adam Sedgewick, the NIST senior information technology policy advisor who is in charge of the framework project, explains that the institute is taking privacy and civil liberties concerns seriously in developing the voluntary guidelines for industry. “We have privacy experts working with us, and I do think that will be a common theme that we keep on coming back to,” he says. “I think it’s going to be an important consideration for whatever is in the framework itself.”
Because the public is being encouraged to help with the development of the framework, Sedgewick says, privacy groups have an opportunity to speak up. In late February, NIST issued a request for information (RFI) for public comments from industry that would be taken into consideration when developing the framework. “[The RFI] really asked three questions in three big areas,” Sedgewick explains. “One area was how organizations manage cybersecurity risks generally; one was what frameworks, standards, and guidelines already exist that companies use to help with the cybersecurity risks; and then we asked a series of questions to drill down into particular areas about how organizations approach those things, including privacy and civil liberties.”