Eager to head off criticism from privacy advocates and users over the expanded surveillance provisions in its forthcoming National Strategy for Securing Cyberspace, the Bush administration is expected to recommend appointing a federal “privacy czar” to act as watchdog. Chief among the czars duties would be to vet all government data gathering and security initiatives for potential privacy problems, according to a draft of the plan.
The draft plan, obtained by eWeek, also calls for the government to find a “flexible, nonregulatory” approach to encourage enterprises to improve their privacy protections and policies.
The chief privacy officer would work in the proposed Department of Homeland Security and would oversee a privacy advocate at each federal agency. The advocates would be responsible for facilitating an annual review of each agencys compliance.
The advocates and the federal CPO would work with a national advisory group to “ensure broad input into, and consideration of, privacy issues in implementing the national strategy to achieve solutions that protect privacy while enhancing network and host security,” according to the plan.
“Its an important step to name a privacy officer,” said Vince Schiavone, a member of the board of the International Association of Privacy Officers and president and CEO of ePrivacy Group, a privacy consulting company in Philadelphia, which counts the Federal Trade Commission and other government agencies among its clients. “The governments privacy efforts are sorely needed,” said Schiavone, “in light of its surveillance proposals.
“To find the bad guys and the bad stuff amongst the good guys and the private stuff, they have to look at it all. It is a very real governmental privacy issue that needs to be thoughtfully and carefully monitored.”
In addition to its own initiatives, the government is searching for ways to get private enterprises up to speed on privacy protections without new legislation. Privacy experts say that likely approaches range from enforcing existing laws to using the governments purchasing power to single out products that adhere to privacy requirements.
It is clear from the privacy recommendations in the national plan that the government expects a measure of criticism over the security provisions in the strategy. One section discusses the often-problematic relationship between security and privacy but offers little in the way of solutions.
“At times there may be apparent tension between security and privacy values,” the section reads. “Where tensions do arise, an active and open communication process must exist for evaluating the competing interests rigorously and thoughtfully, and identifying solutions.”
Jim Dempsey, deputy director of the Center for Democracy and Technology, in Washington, said that the privacy recommendations are positive on their face but do not necessarily outweigh the harm to privacy other segments of the strategy could raise.
“All of these [recommendations] are good ideas,” Dempsey said. “It depends upon what the report says about things like data retention, data mining and how you handle intrusion detection.”
The governments plan includes numerous proposals aimed at expanding the governments security efforts as well as expanding its electronic surveillance capabilities.
According to the plan, the administration wants to establish a centralized facility for collecting and examining data traffic in search of security threats. The plan also encourages private operators to accelerate data gathering.
All this is aimed at improving the state of government and private-sector network security, which is a source of much consternation for federal security officials. Many in Washington feel that the focus on security in the past year has yielded few tangible results.
“Its a little better, not much,” Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, which spearheaded the strategy, told eWeek. “I think taking [these] different federal organizations and merging them into the Department of Homeland Security and giving them a decent budget [will help]. That organization is going to be the pointy end of the spear defending us from cyber-attacks.”
Aside from the new department, the government is working quietly on several fronts to tighten security. Clarke has been collaborating with major ISPs and the Defense Advanced Research Projects Agency to help secure IPv6, the next version of Internet Protocol. Theres also been work on securing the Internets Domain Name System and Border Gateway Protocol.
Howard Schmidt, vice chairman of the PCIPB, said the degree to which risk has been minimized varies from network to network. “CIOs and internal auditors have been working hard, but this is a complex issue,” Schmidt told eWeek. “I think what we have minimized is the risk of anybody exploiting known vulnerabilities to do long-term sustainable damage.”
- Bushs Cyber-Security Plan Targets E-Mail
- How Real Is the Threat?
- Clarke Lambastes Software Industry
- Editorial: Security: The Feds Can Help
- Congress Zeros In on Cyber-security
- Cyber-Security Czar Gives IT a Wake-Up Call