As representatives from government and private security hammer out the details of the cybersecurity framework, privacy concerns are moving to the top of the agenda.
President Barack Obama’s executive order on cybersecurity is aimed at reducing threats to the nation’s critical infrastructure in part by getting the government and the private sector to share more threat-related information. But the order also calls on agencies to be aware of the need to protect privacy and civil liberties when sharing data on individuals.
One aspect of the executive order under close inspection by privacy advocates is the cybersecurity framework being developed for critical infrastructure, which is designed to “to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The National Institute of Standards and Technology (NIST), part of the Department of Commerce, was tasked by the executive order to develop that framework of voluntary best practices.
One group particularly concerned about how the framework will deal with privacy is the Electronic Privacy Information Center (EPIC), a Washington-based research group. Jeramie Scott, a national security fellow at EPIC, helped author the center’s public comments to NIST. He emphasizes that the average citizen, and not just those in the private sector, should be concerned about what comes out of the framework when it comes to privacy. “Cybersecurity is something that affects everyone; most people use the Internet in one fashion or another, and when we’re talking about cybersecurity, to a large extent, that’s what we’re talking about,” he says. “Everyone should be concerned about [privacy] or interested in knowing exactly what the government is doing with information they’re collecting, what they are monitoring.”
Adam Sedgewick, the NIST senior information technology policy advisor who is in charge of the framework project, explains that the institute is taking privacy and civil liberties concerns seriously in developing the voluntary guidelines for industry. “We have privacy experts working with us, and I do think that will be a common theme that we keep on coming back to,” he says. “I think it’s going to be an important consideration for whatever is in the framework itself.”
Because the public is being encouraged to help with the development of the framework, Sedgewick says, privacy groups have an opportunity to speak up. In late February, NIST issued a request for information (RFI) for public comments from industry that would be taken into consideration when developing the framework. “[The RFI] really asked three questions in three big areas,” Sedgewick explains. “One area was how organizations manage cybersecurity risks generally; one was what frameworks, standards, and guidelines already exist that companies use to help with the cybersecurity risks; and then we asked a series of questions to drill down into particular areas about how organizations approach those things, including privacy and civil liberties.”
For purposes of the framework, the analysis defines privacy and civil liberties as “the ability of individuals to avoid harmful consequences to themselves arising from the use or exposure of information about themselves.”
To better address the issues moving forward, NIST provided several representative questions on the topic, including, “In addition to data security issues, what kinds of privacy and civil liberties issues arise out of cybersecurity practices?” as well as, “How do we quantify privacy and civil liberties risks arising out of cybersecurity practices?”
NIST’s analysis of the RFI, which resulted in nearly 250 comments, was published on May 15. The report lists “initial gaps” in the comments that were received, which it defines as “those areas where RFI responses were not sufficient to meet the goal of the executive order.” One of those gaps turned out to be “Privacy/Civil Liberties.” Though the report showed that 52 percent of public comments mentioned the topic, the comments did not substantively address the issue.
NIST is holding a series of four workshops to discuss and hammer out the details of the framework with industry leaders. (At press time, two of those workshops had already been conducted. The first workshop, which mostly set out the goals, was reported on in the May “Editor’s Note,” and some early analysis of written comments was reported on in the June “Homeland Security” department.)
Sedgewick says that the subsequent workshops are meant to be “in-depth working sessions around the country, where we’ve asked people to come in and roll up their sleeves and try to flesh out the responses we got, to make sure that we have the information we need at the end of this process for this framework.”
This give-and-take process is intended to allow privacy advocates and others to provide additional feedback. “Throughout the process you’ll see us kind of constantly popping back up and saying, ‘Okay this is what we heard, can you help us validate this, are there other gaps that we need to work to address?’” he says. “Privacy is obviously a key part…. We want to make sure that whatever is in the framework enhances privacy, and we think there are probably things we can talk about [regarding] how organizations can manage privacy, as well as security.”
That process was begun at the second workshop where there were quite a few questions about how the framework would ensure that privacy and civil liberties were respected. One person in the audience asked whether the framework would provide explanatory language that could be used in court “when my rights get violated.” He asked the NIST panel, “What will result from this process to engage people when these things go to court, because someone’s rights will inevitably be violated?”
Ari Schwartz, the Internet policy advisor at NIST and a privacy expert, responded that NIST still “need[s] to figure out a way to get to the solutions.”
Schwartz also observed that he didn’t see a lot of chief privacy officers in the room. “Maybe we need to bring some of those in,” he said, with the goal of getting people involved who “have methodologies in this area.” For example, he said, “There are also practices and methodologies for protecting privacy that we know are common. We need to highlight them more and identify them more easily.”
NIST says it will seek to answer all the representative questions on a variety of issues before the preliminary version of the framework is due in October, and the final draft in February 2014.
EPIC’s Scott says the language of the framework will be crucial in protecting civil liberties, which is why EPIC’s comments “strongly encourage” NIST to spell out the “difference between cyberterrorism and cybercrime.” Scott emphasizes that the two terms should not be confused. “Cyberterrorism is a term kind of like national security that can envelop a lot of different stuff and become a basis for exempting themselves from privacy requirements,” he says.
Amie Stepanovich, director of EPIC’s Domestic Surveillance Project, is also a signatory on the center’s comments. She notes that what is being done with information collected on individuals evokes questions about security, and not just privacy. Everyone should be concerned about what the government does with personal information about them that ends up in a government database, she says.
EPIC invokes the Privacy Act of 1974 as well as the Freedom of Information Act (FOIA), stating that they should be a basis for privacy related to cybersecurity efforts which “may include the collection of personally identifiable information on individuals.” The Privacy Act was passed in an effort to create transparency in terms of what information the government is collecting on individuals and how it’s being used. FOIA, originally passed in 1966, makes government information available to the public and is often referred to as the right-to-know law.
Businesses are also concerned about data privacy and security when it comes to the cybersecurity framework. Lisa Sotto is head of the global privacy and data security practice at law firm Hunton & Williams LLP. She also serves as the chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.
Sotto says the private sector shares the concerns of privacy advocacy groups in some cases, though perhaps for different reasons. “EPIC doesn’t want the private sector to turn over data to the government because they’re afraid the government’s going to use the data for purposes that were not contemplated,” she explains. “Industry doesn’t want to turn data over to the government because they don’t want to be sued, and because there are liability concerns in doing it.” For example, liability is created for businesses when information turned over pertains to an individual, including personally identifiable information like Social Security numbers.
But Sotto adds that privacy considerations have to be balanced against the reality of the threat, which is not going away. She notes that not all businesses are doing enough to combat cyberthreats, making the framework even more crucial in laying out best practices for industry. “Some businesses are hyperaware of the threats, and others are hiding their heads in the sand, hoping that this goes away, and [they] really have no concept of how to manage this threat,” says Sotto. She adds that “it’s a very scary issue [because] it’s a new issue. There’s no playbook on how to deal with cyberthreats.”
Sotto says she thinks the framework will become that playbook for businesses when combating cyberthreats. “The framework is just going to be all-important. It will be viewed in my judgment as the standard of care going forward,” she says, “and to the extent a company is not implementing the framework, there may be lawsuits that follow.” Companies that don’t abide by the framework’s standard of care may be “deemed negligent.”
And that makes it all the more critical to get it right with regard to all the elements—including privacy protections.