Executive action on critical infrastructure protection renews debate on privacy and information sharing

The release last week of an Executive Order focused on “Improving Critical Infrastructure Cybersecurity” represents the latest move by the administration to encourage information sharing between the federal government and private sector entities responsible for operating and maintaining critical infrastructure such as power utilities, telecommunications, transportation, and other vital services. The Executive Order and a corresponding Presidential Policy Directive (PPD-21) on Critical Infrastructure and Resilience also renewed debate over the extent to which the government is ignoring, rolling back, or enabling the circumvention of existing privacy laws by allowing largely unrestricted information sharing about individuals in the name of national security. While the latest presidential missives include language about respecting privacy rights and invoke Fair Information Practice Principles and other safeguards for civil liberties, criticisms of the government’s new policy call out the lack of specificity about exactly what types of information can be shared under what circumstances. Concerns over privacy implications seem somewhat lower than those focused on the Cyber Intelligence Sharing and Protection Act (CISPA) reintroduced in the House of Representatives with language essentially unchanged from the version that failed to make it through the 112th Congress.

Much of the public concern related to greater levels of information sharing between private sector entities and the government focuses on the potential for personal information about individuals – including the contents of emails and Internet browsing behavior – to be freely handed over to the government. The focus of the Executive Order, however, is on government agencies sharing threat information, including classified information, with private sector entities in order to better coordinate critical infrastructure protection activities.

Without getting into the potentially intractable privacy and security debate intrinsic to any heightened domestic threat monitoring efforts, one of the interesting aspects of the reactions in response to the new Executive Order is how little of the policy it contains is new. The majority of the responsibilities and intended actions specified last week appear almost verbatim in Homeland Security Presidential Directive 7 (HSPD-7), issued by President Bush in December 2003. In particular, the identification, prioritization, and coordinated protection of critical infrastructure assets and the need to coordinate efforts with relevant private sector entities have been core parts of federal critical infrastructure protection policy and practice for several years. HSPD-7 placed federal oversight of critical infrastructure protection with the Department of Homeland Security and directed the DHS Secretary to “produce a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection” more commonly known as the National Infrastructure Protection Plan (NIPP). These responsibilities are reiterated in the Executive Order and PPD-21 (including requiring an update to the NIPP), augmented with the proposed development of a Cybersecurity Framework by the National Institute of Standards and Technology (NIST), the agency currently responsible for developing information security standards and guidance to satisfy federal legal, regulatory, and policy requirements, notably including those enumerated in the Federal Information Security Management Act (FISMA). It remains to be seen how much the new Cybersecurity Framework will resemble or draw upon the government’s current Risk Management Framework and associated recommended security controls, but given the government-wide progress in moving to a consensus approach and set of standards and guidelines, it seems to be a logical starting point.