Jay Kesan | Publications

Last week, the nation’s second largest health insurance provider, Anthem, reported a theft of up to 80 million health records.Thieves could use this information to steal identities, ruin credit scores, or make counterfeit residency documents to allow dangerous criminals to pass through U.S. borders. This attack was just the most recent in a long stream of escalating and destructive cyber attacks.  And our defenses against these attacks have not been keeping up.

One way to improve security is to encourage the government and private sector to share more information about vulnerabilities and the threats affecting sensitive systems. In January, President Obama unveiled a new legislative proposal about cyber security that focuses on information sharing.The proposal focuses on “cyber threat indicators” — a term that includes information about methods, vulnerabilities, and any “malicious reconnaissance” conducted by attackers.

If the President’s proposal is introduced as a bill, it may or may not actually become law. So far, the only successful cyber security bill that has focused on information sharing was limited to the government sharing information with the private sector. The National Cyber security Protection Act of 2014 was enacted last December and describes procedures for granting security clearances to allow certain private sector actors to gain access to classified cyber threat information. The President’s proposal would build on this law and create a mechanism for the private sector to voluntarily share cyber threat indicators.

Under this proposal, cyber threat indicators can be shared with certain parts of the government and with organizations that provide a forum for information exchange between the government and the private sector.  The President’s proposal would also create a “civilian cyber threat indicator portal,” which would be managed by the Department of Homeland Security. The portal would provide civilians a way to submit cyber threat indicators and would also allow civilians to receive cyber threat indicators quickly. This portal could improve the speed with which private organizations and the government handle cyber threats.

Privacy advocates are responding with skepticism.Most people do not want the government to know everything about their activities, even when their activities are legal. When you know someone might be watching, you may act in a way that you don’t want to. The chilling effect of surveillance is a major civil liberties concern.The President’s proposal includes some aspects that are designed to limit possible negative effects on civil liberties.  For example, when disclosing cyber threat indicators, the disclosing party, such as a private company, must make reasonable efforts to remove information about individuals, when those individuals are unrelated to the cyber threat.  How can policymakers ensure that only relevant information is shared with the government, while ensuring that citizens still feel like enough of their privacy is protected?

If the President’s proposal is introduced in Congress, it will be join the Cyber Intelligence Sharing and Protection Act – CISPA — as the third consecutive attempt to pass an information-sharing cyber security bill. Opposition to CISPA made headlines in both previous Congressional sessions.

Measures to improve cyber security are critical, but so is privacy. Concerned members of the public should take the time to educate themselves about the options. A disastrous cyber attack is very possible in the near future, but we must not ignore civil liberty concerns in the interest of security. Instead, we should aim to improve security, while protecting privacy. A thoughtful and involved population will help ensure that policymakers consider the desires of their constituencies, while making major decisions that will likely have a significant effect on our information-based society and our lives.

Author – Jay Kesan

Tagged on: