WASHINGTON – The federal government's plan to expand computer security protections into critical parts of private industry is raising concerns that the move will threaten Americans' civil liberties.
In a report for release Friday, The Constitution Project warns that as the Obama administration partners more with the energy, financial, communications and health care industries to monitor and protect networks, sensitive personal information of people who work for or communicate with those companies could be improperly or inadvertently disclosed.
While the government may have good intentions, it "runs the risk of establishing a program akin to wiretapping all network users' communications," the nonpartisan legal think tank says. The Associated Press obtained a copy of the report in advance.
Cybersecurity has become a rapidly expanding priority for the government as federal agencies, private companies and everyday people come under persistent and increasingly sophisticated computer attacks. The threat is diverse, ranging from computer hackers going after banking and financial accounts to terrorists or other nations breaching government networks to steal sensitive data or sabotage critical systems such as the electrical grid, nuclear plants or Wall Street.
Privacy has been a hotly debated issue, particularly as the Pentagon broadens its pilot program to help defense contractors protect their networks and systems. Several companies, including critical jet fighter and drone programs, have been attacked, although the Pentagon has said that no classified information was lost.
And there are plans for the Homeland Security Department to use the defense program as a model to prevent hackers and hostile nations from breaching critical infrastructure. Officials have suggested that Congress needs to craft legislation that would protect companies from certain privacy and other laws in order to share information with the government for cybersecurity purposes.
DHS spokesman Matt Chandler said the legislative proposals reflect the administration's commitment to privacy protections and contain standards to minimize contact with personal information while dealing with cybersecurity threats. "DHS builds strong privacy protections into the core of all cybersecurity programs and initiatives," Chandler said, adding that the agency realizes that providing assistance to private companies is a sensitive task that requires "trust and strict confidentiality."
The Constitution Project report recommends that officials limit the amount and nature of personal information shared between the public and private sectors. And it calls for strict oversight of the cyber programs by Congress and independent audits, to ensure that privacy rights have not been violated.
"The government should not be permitted to conduct an end-run around Fourth Amendment safeguards by relying upon private companies to monitor networks," it said.
In addition, the report raised concerns about the ongoing development of the Einstein 3 program, a government network monitoring system that would both detect and take action against cyberattacks on federal systems. DHS officials have said that extensive privacy protections are in place.
But the report expressed concerns that as DHS and the secretive National Security Agency share information about potential computer-based threats, the NSA could review communications from U.S. individuals without setting up privacy safeguards.
"With more and more people needing to share sensitive personal and financial data over the Internet, it is absolutely vital that, while we are looking to protect our networks against cyberattack, we also preserve our constitutionally guaranteed rights to privacy," said Constitution Project committee member Asa Hutchinson, a former DHS undersecretary who also served as a GOP congressman from Arkansas.
Lawmakers who have been wrestling with these issues over the past several years have several bills in the works, and most include some privacy provisions.