Congress released the continuing resolution to fund the government into next year late yesterday. One provision in the bill should send shivers down the collective spines of those who treasure freedom of the Internet and the right to privacy. It appears that the Continuing Resolution (CR) pending in Congress will allow average American’s privacy rights to be violated.
Congress has struggled to pass legislation dealing with cybersecurity threats to the power grid and financial institutions termed “critical infrastructure.” The Senate has tentatively scheduled votes on legislation to deal with this issue, yet the Senate, and Congress as a whole, has yet to pass legislation dealing with this issue. The reason for the impasse is that there is a deep concern that if too much power is granted to the federal government in the name of protecting critical infrastructure, this new authority may allow the federal government to monitor activities with little or no relation to cybersecurity threats.
The Administration has chosen to ignore the legislative process to implement their own secret plan. The Obama Administration has secretly prepared an executive order to implement an executive order dealing with cybersecurity. Language in the CR appears to rubber stamp this secret (from the public) cybersecurity plan. The fact that his plan has yet to receive a full vetting by the American people is outrageous.
This past weekend, a draft cybersecurity executive order was leaked by the Obama Administration to members of the press. According to Federal News Radio “the draft EO includes eight sections, including the requirement to develop a way for industry to submit threat and vulnerability data to the government. The draft EO, which Federal News Radio viewed a draft copy of, closely follows the second version of comprehensive cyber legislation introduced by Sens. Joseph Lieberman (I-Conn.) and Sen. Susan Collins (R-ME) (R- Maine) in July. The draft order gives agencies several deadlines to meet, either by writing reports or creating and implementing frameworks.” This is legislation that has never passed the Senate.
The Lieberman/Collins approach is something that many defenders of a free Internet oppose. The Center for Democracy and Technology circulated a letter that states in part that the Lieberman/Collins approach “undermines privacy and cybersecurity by expanding without justification the authority for companies to monitor their clients’ and customers’ Internet usage for broadly defined ‘cybersecurity threats,’ by authorizing ill-defined ‘countermeasures’ against such ‘cybersecurity threats,’ and by immunizing companies against liability for monitoring activities that violate their own contractual obligations.”
The letter also argues that Lieberman/Collins “creates an exemption from all existing privacy laws to allow companies to share communications and records with the government, even if those personal records are not necessary to describe a cybersecutiry threat.” They are not the only ones upset about the potential danger to freedom that the Obama cybersecurity approach portends for Americans.
Senator Sen. John McCain (R-AZ) (R-Arizona) wrote to Gen. Keith Alexander, Director of the National Security Agency, on May 9, 2012 that 90 percent of critical cyber infrastructure is owned and operated by the private sector. McCain wrote “the authorities that would be granted to the Secretary in the Cybersecurity Act (Lieberman/Collins) are in fact, too burdensome. I am unaware of the Congress ever creating a regulatory regime in which it does not say what entities would be regulated, and simultaneously authorizes a government agency, an agency with few if any regulatory successes, to determine what needs to be regulated and how to regulate it.” In short, McCain argues that the Lieberman/Collins approach grants too much authority with little in the manner of constrains on government authority.
Freedom loving Americans should be concerned by the secrecy in which this executive order is being drafted and the fact that it closely resembles the Lieberman/Collins approach. From what we know, this idea would grant the federal government way too much authority over monitoring the activities of average citizens.
Opposition is not limited to libertarian minded organizations and Senator Sen. John McCain (R-AZ). Steven Bucci of The Heritage Foundation has written that “cybersecurity executive fiat is a very bad idea.” Bucci argues that “the reason the (Lieberman/Collins) bill did not pass was because there are reasonable and serious policy differences regarding how the nation should approach the growing challenge of cybersecurity. These differing camps are not at opposite ends of the political spectrum, but are spread throughout the American ideological landscape.”
Furthermore, Bucci argues that “the main complaint with the bill was that it was based on aregulatory framework. Even though the staffs made some of the major provisions ‘voluntary,’ individual agencies could have promulgated regulations that would have been binding in specific industry sectors. The bottom line is that a significant number of relevant players think regulation is the wrong way to foster cybersecurity.” These are serious objections that deserve the input of the American people.
The Obama Administration leaked one nugget that their executive order is “voluntary.” Federal News Radio reports that “one subsection would ask industry to voluntarily submit cyber threat information to the government. The draft order says this data wouldn’t be used for regulatory purposes or used against companies. Sources say there aren’t any liability protections in the EO because that could only come from Congress.” If the federal government comes to private companies to request this information, it is hard to imagine that these companies will treat these requests as a voluntary request. One merely needs to refer to what happened during the TARP negotiations in 2008 when then Secretary of the Treasury Hank Paulson ordered banks to “voluntarily” take bailout monies or be subject to pressure and intimidation.
According the New York Times, based on documents acquired by Judicial Watch, “although ithas long been known that Henry M. Paulson Jr., the Treasury secretary at the time, had insisted that the banks’ top executives accept the government money, the documents provide details of the government’s full-court press at Mr. Paulson’s meeting with them on Oct. 13 and how the bankers had no choice.” The same may happen with this cybersecurity executive order.
Information obtained from Capitol Hill indicates that the Obama Administration requested language in the CR that may serve to grant President Obama the authority to implement his scheme without the explicit consent of Congress. The CR contains language that seems to grant authority to the Obama Administration to move forward with this secretly drafted Executive Order in the next few weeks.
Section 137 of the CR appropriates new monies for “‘Department of Homeland Security–National Protection and Programs Directorate–Infrastructure Protection and Information Security’ at a rate for operations of $1,170,243,000, of which $328,000,000 is for Network Security Deployment, and $218,000,000 is for Federal Network Security that may be obligated at a rate for operations necessary to establish and sustain essential cybersecurity activities, including procurement and operations of continuous monitoring and diagnostics systems and intrusion detection systems for civilian Federal computer networks.” This section provides money to fund a new cybersecurity initiative, even though Congress has yet to pass any legislation authorizing the use of the money. As many Congress watchers understand, once monies are appropriated for a specific activity, the Congress is deemed to have approved. It is arguable that this language could be interpreted to grant authorization for the Obama Administration to implement their executive order mirroring many provisions of the failed Lieberman/Collins cybersecurity legislation.
The CR has a second provision states “(b) Not later than 15 days after the date of the enactment of this joint resolution, the Secretary of Homeland Security shall submit to the Committees on Appropriations of the House of Representatives and the Senate an expenditure plan for essential cybersecurity activities described in subsection (a) of this section for the period through the date specified in section 106(3) of this joint resolution.” This seems to grant the Obama Administration authority to implement the plan, as long as they provide a report to Congress before the expiration of the CR in six months.
It is very difficult to asses the true danger this idea poses to freedom, because of the secretive nature of the negotiations and the fact that this executive order is not public. But it is safe to say that the manner in which this plan is being drafted and implemented runs afoul of the traditional means to make very important decisions that impact privacy rights and the proper role of the federal government in monitoring the activities of private citizens.