Cyber-Security Should Not Limit Enterprise Privacy
Cyber-Security Should Not Limit Enterprise Privacy
President Barack Obama unveiled a cyber-security plan last week that he hopes will ensure the United States is kept secure from cyber-threats going forward. He plans to find a cyber-security coordinator to oversee those efforts.
The cyber-security plan will revolve around a few key initiatives. First off, President Obama wants to establish a framework for incident response, giving government officials and U.S. citizens more guidance in the event of a serious attack. The President also wants to use government resources to spur innovation in the security industry. Obama believes that if the private sector and the public sector work together, the United States could become much safer over time. Following that logic, the President said he wants to increase the number of federal IT workers, while promoting security awareness around the country.
"From now on our digital infrastructure, the networks and computers we depend on everyday, will be treated as they should be-as a strategic national asset," Obama said during a press conference last week. "Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient."
It's an interesting comment. The President used two buzzwords-secure and trustworthy-in the same sentence. But in the IT business, security and trustworthiness are not necessarily mutually exclusive. See, the issue with cyber-security initiatives and the idea of keeping the United States more secure through such initiatives is great at the surface. It will keep U.S. citizens secure (there's that word again). But will it make the U.S. government trustworthy? And more importantly, will it ensure that the privacy of both consumers and the enterprise is maintained?
There's no way to tell.
Although it was originally proposed April 1 by Sen. Jay Rockefeller and not President Obama, the Cybersecurity Act of 2009 would give President Obama unprecedented control over private networks. If the bill passes, the President could designate private networks as a "critical infrastructure system or network." Once that happens, the President could "declare a cyber-security emergency and order the limitation or shutdown of Internet traffic to and from" that network. The bill also proposes that software companies would need to get government approval on new security applications.
But the biggest problem with the bill is that it would provide the Secretary of Commerce with the authority to access "all relevant data concerning [private] networks without regard to any provision of law, regulation, rule or policy restricting such access." In other words, the company operating the private network wouldn't have any legal recourse if the government decided to swoop in and access any and all "relevant" data on the network.
To assuage security concerns, the bill does feature a caveat, which requires the president to justify his actions "with appropriate civil liberties and privacy protections." Whatever that means.
How Far Will the Government Go?
Maybe it's an overabundance of irrational concern, but am I the only person who thinks this bill is using security as a tool to invade the privacy of the corporate world and its employees? It's a real possibility.
There's no debating that more attention needs to be paid to keeping the United States secure from cyber-threats, but just how far the government will go to ensure civil liberties are maintained is very much in doubt. And no matter how many arguments are made in defense of civil liberties on the part of politicians, it's difficult to believe it when bills like the Cybersecurity Act of 2009 are even proposed.
For his part, President Obama did say in a speech last week that the country's "pursuit of cyber-security will not include ... monitoring private sector networks or Internet traffic." He went on to say that his administration will "preserve and protect the personal privacy and civil liberties that we cherish as Americans."
That's certainly nice to hear. But whenever cyber-security policies are made a part of the U.S. government's initiatives, it's privacy that takes a blow. That doesn't mean it will continue to happen going forward, but if we are to use the past as our guide for the future, it's difficult to see how the government's new stance can really ensure enterprise privacy.
And perhaps that's the biggest problem with President Obama's plan and plans set forth by members of Congress. They realize that privacy is a major concern so they address it in statements before they enact policies. But as the enterprise starts being impacted by those policies, it quickly becomes clear that the government has the power to change its own rules whenever it's deemed necessary.
Say what you will about cyber-security and its importance to the future of the United States. But when it comes to limited enterprise privacy, not even protection against foreign hackers is as important to the fabric of this country as privacy.
"We must protect our critical infrastructure at all costs-from our water to our electricity, to banking, traffic lights and electronic health records-the list goes on," Sen. Rockefeller said in a statement earlier this year. "It's an understatement to say that cyber-security is one of the most important issues we face; the increasingly connected nature of our lives only amplifies our vulnerability to cyber-attacks and we must act now."
At all costs? Let's hope not.