Marvin Ammori

If you’re in Washington DC this Wednesday, you’ll have to endure the agony of choice between two great cybersecurity panels.

George Washington University’s Homeland Security Policy Institute will be hosting roundtable discussion on pending cybersecurity legislation, with former Director of National Intelligence Mike McConnell, former Department of Homeland Security Director Michael Chertoff, and senior congressional staff. The event begins at 10:30 in the Jack Morton Auditorium, 805 21st Street, NW. See this link for more information.

And the Bipartisan Policy Center will be hosting an event at the same time on how best to forge public-private partnerships for cybersecurity, with a focus on policies put forth by the FCC. That discussion will include former Assistant Secretary for Policy at DHS, Stewart Baker; Director of Risk Management Information Security at CenturyLink, Michael Glenn; President of the internet intelligence firm Renesys, Andy Ogielski; and Assistant Secretary of the Office of Cybersecurity and Communications at DHS, Greg Schaffer. This event will be held at 1225 Eye St. NW, Suite 1000. See the link for more details.

The House Subcommittee on Counterterrorism and Intelligence held a hearing yesterday on “DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy.”  The hearing was aimed at providing insight into how exactly DHS is utilizing this resource for protecting national security, with specific attention paid to the department’s contract with General Dynamics.

Addressing  the subcommittee were Mary Ellen Callahan, DHS’s Chief Privacy Officer, and Richard Chavez, Director of DHS’s Office of Operations Coordination and Planning.

Rep. Meehan (R-PA) began his remarks by noting the importance of intelligence gathering to protecting citizens from harm, but noted that your friends reading your Facebook posts is different than DHS reading them. He stressed the needs to balance privacy interests with the benefits that we accrue from this information collection. He also highlighted the fact that the DHS Privacy Officer is the “first statutorily mandated privacy officer in any federal agency.”

Callahan stated that DHS has three uses of social media: 1) for external communications and public outreach; 2) enhancing situational awareness of government agencies; and 3) where appropriate authorities exist, for law enforcement and investigative purposes . She outlined various measures that have been implemented to safeguard individual privacy, including a “holistic set of privacy protections” that ere incorporated into the June 2010 document “Publicly Available Social Media Monitoring and Situational Awareness Initiative” PIA. She summarized DHS’s privacy policies thusly: “if you can’t do it offline, you can’t do it online.”

Even before the questioning began, it was apparent that a chief concern of the committee members was the chilling effect this monitoring might have on First Amendment protections for free speech, as well as the grave privacy implications of these activities. The common theme from both Callahan and Chavez in this regard was that DHS is more interested in the “what” rather than the “who” behind social media information, and that there are robust privacy protections and review mechanisms in place to ensure the monitoring and use of that information does not have that feared chilling  effect or threaten individuals’ privacy.

Rep. Speier was not moved by the assurances given by the witnesses, admonishing DHS for provisions in its contract with General Dynamics which allowed for the collection of personally identifiable information in some circumstances, including on reporters and news anchors. While the exception states that such collection is for the purposes of enhancing the credibility of the specific media reports, Rep. Speier  nonetheless declared the policy “outrageous.” She said that the monitoring of public reactions to major government proposals was “not something [DHS] should be doing,” and also endorsed the recommendations made by EPIC, namely that  DHS 1) cease collecting info on journalist activities; 2) suspend social media / network monitoring until safeguards in place; and 3) provide annual report setting out legal standards for such collection.

When the discussion turned to how extensively social networking sites were being monitored, there was some confusion among the witnesses and committee members. Rep. Meehan wanted to know who was making the decisions as to what subjects to monitor, and Chavez’s answer seemed to be simply that the monitoring is determined based on a set of predetermined keywords, for example “disaster,” “tornado,” and “flood.” Chavez also said that DHS has guidelines in place for sites that monitors can look at, which are submitted to the privacy office for approval. Nevertheless, privacy concerns were raised again and again by committee members.

Rep. Meehan closed the hearing by noting that it was only the beginning of an important discussion., and that it was crucial to strike a balance between protecting the nation and protecting individual rights. It is likely this will be the first of several hearings on this subject.

The Hill reports that Sen. Reid will move the Cybersecurity Act of 2012 to the Senate floor for consideration, bypassing markups or other committee meetings on the legislation. It’ll be interesting to see how the reaction to this plays out in tomorrow’s hearing.

Also, Stewart Baker, one of those testifying tomorrow, has posted his written remarks. You can view it here. Below is a brief excerpt:

Thanks to growing cyber insecurity, all Americans now live in a digital New Orleans, with Katrina just offshore. And not one Katrina, but many.  Computer exploits that we once thought were the work of large nations such as Russia or China now seem to be within the capability of countries like Iran and North Korea.  If I am right that computer insecurity continues to grow worse each year, then the sophistication needed to launch a cyberattack will continue to decline, and soon such attacks will be within the capability of criminal gangs and online vigilantes like Anonymous.

Disaster is not inevitable.  We can head this threat off if we treat it seriously. We may have years before suffering an attack of this kind.  We do not have decades.  We must begin now to protect our critical infrastructure from attack. And so far, we have done little.

Jeffrey Rosen has a good piece over at the Stanford Law Review site highlighting the dangers of Europe’s proposed “right to be forgotten.” From the article:

In theory, the right to be forgotten addresses an urgent problem in the digital age: it is very hard to escape your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. But Europeans and Americans have diametrically opposed approaches to the problem. In Europe, the intellectual roots of the right to be forgotten can be found in French law, which recognizes le droit à l’oubli—or the “right of oblivion”—a right that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration. In America, by contrast, publication of someone’s criminal history is protected by the First Amendment, leading Wikipedia to resist the efforts by two Germans convicted of murdering a famous actor to remove their criminal history from the actor’s Wikipedia page.

Check out the whole piece.

National Journal reports that the latest draft of the legislation has been released. The bill would grant greater authority to DHS with respect to safeguarding critical infrastructure and improving information sharing among the government and private sector. Ritika Singh at the Lawfare Blog has provided a link to the text.

The Senate Homeland Security and Governmental Affairs committee will hold a hearing on the legislation Thursday from 2:30-5:30pm. Among those testifying: Sen. John Rockefeller (D-WV), DHS Sec. Janet Napolitano, Chairman of the Chamber of Commerce’s National Security Task Force Tom Ridge, Steptoe and Johnson’s Stewart Baker, CSIS’s James A. Lewis, and Microsoft’s Scott Charney.

(Update – 5:30 pm)

The Hill is reporting that several Republican senators have requested a delay on moving forward with the cybersecurity legislation,  citing the sheer breadth of the legislation and lack of consensus building as obstacles to implementing a bipartisan approach to cybersecurity. From the letter:

We call upon our Senate Leadership to allow the committees of jurisdiction to convene hearings and conduct executive business meetings on this new bill so that Senators can be properly educated on this complicated measure and the committees of jurisdiction can provide their necessary perspective before any measure is brought to the Senate floor for consideration.

Yesterday, the Hudson Institute hosted a discussion between Harold Furchtgott-Roth and Gen. James Cartwright (USMC, ret.) entitled “Recent Developments in Cyber Warfare.” Cartwright served as Commander, U.S. Strategic Command, and later as Vice Chairman of the Joint Chiefs of Staff. He is currently the Harold Brown Chair in Defense Studies at the Center for Strategic and International Studies (CSIS).

Cartwright began his discussion by noting that the underlying assumptions about how the Department of Defense (DOD) views cyber and has organized itself in that respect are not well understood, and that he wanted to rectify some of those misconceptions.
Continue reading →

This morning, the House Energy and Commerce Committee’s Subcommittee on Communications and Technology held a hearing on the subject of cybersecurity of the nation’s communications infrastructure, and the responses of the private sector.

Testimony was heard from Larry Clinton, President and CEO of the Internet Security Alliance, Bill Connor, President and CEO of Entrust, Robert Dix, VP of Government Affairs & Critical Infrastructure Protection, James A. Lewis, Director of the Technology and Public Policy Program at CSIS, and Phyllis Schneck, VP and CTO of Global Public Sector at McAfee.

Among the consistent themes throughout the hearing was support for increased information sharing between the government and private sector on cyber threats. Rep. Eshoo (D-CA) announced her support for Rep. Mike Rogers’ Cyber Intelligence Sharing and Protection Act of 2011. The bill currently has 54 co-sponsors across partisan lines.

This support was also echoed by those testifying today. Bill Connor stated that the current system of one-way information sharing is untenable and needs to change, and Larry Clinton and James Lewis suggested the Rogers’ bill was a good place to begin in this area.

Schneck noted that data exchange is crucial to being able to combat these threats – both data from government and private companies, and that some laws prevent companies from sharing this data. She did note that this push for sharing must be tempered with proper privacy assurances.

The panelists largely seemed to eschew government-set standards in favor of industry developed ones, though Lewis observed that not holding critical infrastructure to some standards will “guarantee an attack.” Clinton recommended an independent authority to not create standards but to evaluate them. And Rep. Terry (R-NE) said it would be quite difficult to set standards in this area as “before the ink is dry on the bill the standards have changed.”

A few other random nuggets from the hearing:

• In response to Bill Connor’s  account of the ZeuS and SpyEye “merger,” Rep. Walden joked that it should have gone through FCC review, thus guaranteeing it would never have happened
• Corroborating the points raised by various Representatives in their opening remarks regarding education being a high priority in cybersecurity, Robert Dix explained that  80% of cyber vulnerabilities are result of no or poor cyber hygiene
• Larry Clinton’s remark that with cyber, we’re “dealing with the invention of gunpowder. Mandating thicker armor won’t work. Government needs to engage private sector, not control what it does.”
• James Lewis made an interesting point regarding increased reliance on mobile devices. He recounted a discussion with a hacker who informed him the software “tool” for hacking an iPhone costs twice what it costs for other smartphones ($20,000 vs. $10,000). This was in the context of his suggestion that we’ll see an increased role to be played by service providers, such as telcos.

With the subcommittee largely receptive to what the panelists had to say and the broad support that exists for it, I think there’s hope that one of the first legislative steps we’ll see in this area will be the adoption of the Rogers bill.

You can watch the full hearing here.

As noted last week, Concurring Opinions has been hosting an online symposium on Marvin’s forthcoming article, First Amendment Architecture. Marvin has provided summaries of his article in various posts, and others have contributed great pieces on these and related issues. Here’s a quick recap of the posts so far:

• The first post dismantles the concept of the First Amendment as a “negative” liberty, highlighting various areas in which it actually has resulted in affirmative obligations on the part of government.
• Brett Frischmann discusses First Amendment Architecture and the role of speech spaces in relation to the Supreme Court’s recent decision in the copyright case Golan v. Holder.
• Tim Zick then offers a thoughtful analysis on conceiving of “speech spaces” beyond traditional categories, including virtual spaces like newspapers and the Internet.
• Marvin next addresses so-called “exceptions” to the conventional First Amendment framework and how they are actually core to the framework and help to elucidate what the First Amendment actually means.
• Frischmann next provides a  sixth element to the Architecture, that of a principle of nondiscrimination, that actually underlies the other principles and helps to illustrate how they properly function.
• The next post from Marvin concerns the legislated speech spaces, like those concerning common carrier rules for telephone companies and special subsidization provisions for newspapers.
• Finally, the latest post analyzes how government has had an active role in ensuring Americans are exposed to speech from “diverse and antagonistic” sources, with particular focus on must-carry provisions and media ownership limits.

Next week, the Stanford Law Review will be hosting a symposium entitled “First Amendment Challenges in the Digital Age,” and a panel will be devoted to discussing Marvin’s forthcoming article on First Amendment Architecture. In the meantime, Danielle Citron and the good folks at Concurring Opinions will be hosting a blogathon discussing the piece and issues it raises. The first post from Marvin tackling the notion of the First Amendment as a negative liberty is up now at Concurring Opinions – check it out here.

And for more background on the article, you can check out this initial post from him.