June 23, 2010
The Honorable Joseph Lieberman
The Honorable Susan Collins
The Honorable Tom Carper
Senate Committee on Homeland Security and Government Affairs
340 Dirksen Senate Office Building
Washington, DC 20510
RE: Civil Liberties Issues in Cybersecurity Bill
Dear Senators Lieberman, Collins and Carper:
The Homeland Security and Government Affairs Committee will soon consider the
Protecting Cyberspace as a National Asset Act, S. 3480. We are privacy, civil
liberties and civil rights groups writing to express our concerns about the
legislation. Changes are needed to ensure that cybersecurity measures do not
unnecessarily infringe on free speech, privacy, and other civil liberties interests.
Scope. The legislation, among other things, creates a National Center for
Cybersecurity and Communications (NCCC) with significant authority over covered
critical infrastructure (CCI) owners and operators. This makes the determination of
what is, and is not, a CCI system or asset important to the scope of the legislation.
However, the bill does not adequately define CCI, giving rise to concern that it
includes elements of the Internet that Americans rely on every day to engage in free
speech and to access information. Some have regarded the national
communications system itself as a “critical infrastructure” in other contexts. We ask
that you clarify the scope of the legislation by restrictively defining CCI so that
cybersecurity responsibilities the bill imposes fall only on truly critical network
components.
Preserving Free Speech in Cybersecurity Emergencies. The bill authorizes the
NCCC, in an emergency declared by the President, to take unspecified emergency
actions to preserve the reliable operation of particular covered critical
infrastructure. The government can compel companies that own or operate critical
infrastructure systems to take those undefined actions for 30‐day periods that may
be renewed indefinitely. While the bill makes it clear that it does not authorize
electronic surveillance beyond that authorized in current law, we are concerned
that the emergency actions that could be compelled could include shutting down or
limiting Internet communications that might be carried over covered critical
infrastructure systems. This section should be amended to articulate the specific
emergency actions the NCCC can compel, and any applicable limits on those actions.
It should also be amended to ensure that emergency measures undertaken do not
unnecessarily disrupt Internet communications. The Internet is vital to free speech
and free inquiry, and Americans rely on it every day to access and to convey
information. Any cybersecurity action the government requires that would infringe
on these rights of free speech and free inquiry must meet a traditional First
Amendment strict scrutiny test: (i) the action must further a compelling
governmental interest; (ii) it must be narrowly tailored to advance that interest; and
(iii) it must be the least restrictive means of achieving that interest. Finally, the bill
should also be amended to require an independent assessment of the effect on free
speech, privacy and other civil liberties of the measures undertaken to respond to
each emergency the President declares. It is imperative that cybersecurity
legislation not erode our rights.
Information Sharing and Privacy. The bill requires CCI owners and operators to
share cybersecurity “incident” information with DHS, which will share some of that
information with law enforcement and intelligence personnel. It includes an
important limitation: the incident reporting mandate does not authorize any federal
entity to compel disclosure relating to an incident or conduct surveillance unless
otherwise authorized under the surveillance statutes or other laws. However, the
bill does not indicate what might be included in an “incident report” and we are
concerned that personally‐identifiable information will be included. To minimize
the privacy impact of sharing personally identifiable information, we ask that you
ensure that information sharing activities be conducted only in accordance with
principles of Fair Information Practices as articulated by the DHS Privacy Office.
Transparency. Cybersecurity measures that have an impact on the public should
be transparent to the public to the maximum extent possible. Unlike other
proposals, your legislation does not appear give the National Security Agency and
the Department of Defense an outsized role in securing civilian government and
privately‐owned networks. Such a role would no doubt mean less transparency
about cybersecurity activities, and more concern about whether they comply with
the law. While the bill includes several provisions requiring reports to Congress,
including reports about cybersecurity emergencies and about monitoring Internet
traffic to and from government agencies for cybersecurity purposes, it should clarify
that these reports must be made available to the public. We would like to explore
with you other reporting requirements that would help the public better assess the
impact of cybersecurity measures on civil liberties.
Thank you for considering our views. If you would like to discuss them further, or
would like to respond to this letter, please contact Michelle Richardson at the
American Civil Liberties Union, 202/715‐0825.
Sincerely,
American Civil Liberties Union
American Library Association
American Association of Law Libraries
Association of Research Libraries
Bill of Rights Defense Committee
Center for Democracy & Technology
Citizens Committee for the Right to Keep and Bear Arms
Competitive Enterprise Institute
Constitution Project
Cyber Privacy Project
Defending Dissent Foundation
DownsizeDC.org
Electronic Frontier Foundation
Government Accountability Project
Liberty Coalition
Liberty Guard
Muslim Public Affairs Council
Muslimah Writers Alliance
National Lawyers Guild – National Office
OpenTheGovernment.org
OMB Watch
Political Research Associates
Rutherford Institute
U.S. Bill of Rights Foundation
cc:
Howard Schmidt, Cybersecurity Coordinator, The White House
Philip Reitinger, Deputy Under Secretary, National Protection and Programs
Directorate, Department of Homeland Security
Members of Senate Homeland Security and Government Affairs Committee
Rep. Jane Harman
Rep. Peter T. King
http://www.cdt.org/files/pdfs/20100624_joint_cybersec_letter.pdf