Transcript: Gregory T. Nojeim Testimony on Cybersecurity and Privacy to the Senate Judiciary Committee
The following is our transcription of remarks made today by Greg Nojeim, Senior Counsel of the Center for Democracy and Technology, in testimony before the Senate Judiciary Subcommittee on Terrorism and Homeland Security.
Thank you for the opportunity to testify about cybersecurity and civil liberties on behalf of the Center for Democracy and Technology. CDT is a non-profit, non-partisan organization dedicated to keeping the Internet innovative, open and free.
The nation faces significant cybersecurity threats. Computer hackers have penetrated government systems and have stolen massive amounts of sensitive information. They’ve penetrated financial networks and have stolen millions of dollars. While the need to act is clear, it is essential that we take a nuanced and incremental approach.
We ask that you keep a key distinction in mind as you go forward: policy toward government systems can be much more proscriptive than policy toward private systems. The characteristics that have made the Internet successful — openness, decentralization, user control — they may be put at risk if heavy-handed cybersecurity mandates are applied to all critical infrastructure.
When he unveiled the White House Cyberspace Policy Review on May 29, President Obama correctly emphasized that the pursuit of cybersecurity must not include governmental monitoring of private networks. Monitoring these systems is the job of private-sector communications providers; they already do it today pursuant to self-defense provisions in current law. The Wiretap Act allows communications providers to intercept and disclose, to both their peers and to the government, communications passing over their networks while they are engaged in activity necessary to protect their own rights and property. ECPA [Electronic Communications Privacy Act] provides similar authority for disclosure of stored communications. Furthermore, the Wiretap Act allows service providers to invite in the government to intercept the communications of computer trespassers. These provisions do not authorize the ongoing or routine disclosure of traffic by the private sector to the government, nor should they. The subcommittee should consider whether it is necessary to clarify these provisions and require public statistical reporting on their use.
While current law authorizes providers to make disclosures to protect themselves, what about disclosures to protect others? There might be a need for a very narrow exception to the Wiretap Act and to ECPA to permit providers to make voluntary disclosures about specific attacks and malicious code to protect other providers. We urge the subcommittee to approach this issue very cautiously, for exceptions intended to promote information sharing could end up harming privacy.
While the private sector protects its systems, the federal government clearly has a need to monitor and protect its own systems. Caution and transparency are both required to avoid chilling communications that Americans have with their government.
The DHS Einstein system is being deployed by government agencies to protect government computers against attack. CDT does not object to this in principle. However, independent audits should be required to ensure that Einstein does not inadvertently access private-to-private communications. Audits could also ensure compliance with strict limits on how much information is collected, with whom it is shared, and for what purposes.
We do, however, object to the secrecy that has shrouded the Einstein program. Notwithstanding the OLC opinions and the privacy impact assessment that have been released, much more needs to be known about the program. Excessive secrecy undermines public trust and communications carrier participation, both of which are essential to the success of this and other cybersecurity initiatives.
On the question of identity and authentication, some have proposed sweeping identification mandates, including even a passport for using the Internet. Identification and authentication will likely play a significant role in securing critical infrastructure. They should be applied judiciously to specific high-value targets and to high-risk activities and allow for multiple identification solutions.
Privacy and security cannot be viewed as a zero-sum game. Measures intended to increase communication security need not threaten privacy and, indeed, they can enhance it. CDT looks forward to working with the subcommittee to identify and promote these win-win solutions.
