Largely drowned out by media coverage of the State of the Union address Tuesday night was the simultaneous release of an executive order entitled “Improving Critical Infrastructure Cybersecurity.” In a nutshell, the order paves the way for an information sharing program between government and private industry, in order to assess and address threats to cybersecurity.
The language of the order is vague, almost timid, and it appears that the administration is trying hard to avoid any backlash over privacy concerns, with repeated references to respecting civil liberties and a reported endorsement from the ACLU. That the White House would be a little gunshy about this issue is understandable. Last year, two bills designed to combat internet piracy – designated SOPA and PIPA – were met with massive resistance both by individuals and companies such as Google, Amazon and Wikipedia, ultimately resulting in a day of internet darkness with many popular websites shutting down in protest.
The major objections to these bills were rooted in the fact that they granted broad, poorly defined powers to the federal government to unilaterally control, and even shut down parts of the internet in response to unspecified threats to national security. Critics saw such powers as dangerously easy to abuse and feared for the civil rights of American internet users. Partially as a result of the public outcry, both SOPA and PIPA were ultimately defeated, as was a third bill, the Cyber Intelligence Sharing and Protection Act (CISPA,) designed to facilitate information sharing between business and government. Unlike the order issued Tuesday, however, CISPA would also authorize the federal government to shut down internet traffic from certain sources in response to a cyber-attack.
The problem with bills such as these is that there are no clear restrictions on what information can and cannot be shared. There is no guarantee that the personal information of private citizens won’t end up in government hands, and the thought that credit card numbers and medical histories could be shared without users’ consent is understandably worrying. This is no doubt the reason why the aforementioned executive order is so cautious in its language. The order exempts commerce and social media sites, such as Amazon and Facebook, from any information sharing, all of which is voluntary anyway. Indeed, the White House has gone out of its way to point out that nothing in the order forces companies to do anything they don’t want to do.
Although CISPA was defeated by the Senate when it was introduced last year, it is due to be brought up again sometime in the first half of 2013. The executive order issued by President Obama already implements parts of the bill, possibly as a way to ease lawmakers through the transition towards more comprehensive legislation. After the overwhelmingly negative reaction to previous attempts to regulate the internet, any new attempts will have to be subtle and gradual.
This means that advocates for internet freedom will have to be especially vigilant in the future, keeping a keen eye out for the gradual erosion of our privacy rights. To that end, it is worth pointing out that Obama’s executive order places responsibility for information sharing in the hands of the Department of Homeland Security, an organization not exactly renowned for its
constitutionality or respect for civil liberties, and that the order covers all “critical infrastructure,” a vaguely defined term that encompasses not just the internet, but also electricity, gas, the water supply, telecommunications, heating, banking and anything else deemed essential to the functioning of society. The consistent use of such open-ended terms leaves the door open for sweeping regulations with any number of unforeseen consequences.
As ever, victories for internet freedom are fleeting. The state will always fear that which it cannot control, and the attempts to regulate the internet are sure to continue for years to come. Although the cybersecurity executive order looks fairly innocuous, it is important to stay informed and alert to where it could lead. When CISPA is reintroduced later this year, it must not be allowed to slip through the cracks unnoticed.