Private emails and other personal correspondence could be collected and scoured by government officials if changes being considered to the recent White House cybersecurity executive order are honored.
Under the cybersecurity directive signed last month by US President Barack Obama, “commercial information technology products or consumer information technology services” such as Gmail and Facebook aren’t lumped in with the so-called “critical infrastructure” entities that are asked to share information with the federal government. Now some telecommunication companies disagree with that part of the order and say the White House should revamp the language so that these exemptions aren’t exploited by hackers.
Calls for changes in the president’s draft come after a wave of reported cybercrimes have targeted all aspects of the Web, from social media sites to government property. Twitter.com was recently the victim of a massive security breach, and a highly-touted report released by Northern Virginia security firm Mandiant last month claimed that Chinese hackers have infiltrated a number of Defense Department computers. Even though commercial websites aren’t included in the executive order’s provision, some say they should.
“If e-mail went away this afternoon, we would all come to a stop,” Marcus Sachs, vice president of national security policy at Verizon Communications Inc., tells Bloomberg News. “Hell yeah, e-mail is critical.”
The president, however, hasn’t considered it as such. According to his order, “critical infrastructure” is defined by “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
When Pres. Obama announced his directive during last month’s State of the Union address, he said the threat of cyberattacks was growing rapidly and that hackers are stealing people’s identities and infiltrating private emails. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” he said. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
If telecoms have their say, the government will soon be scooping through those emails too. Verizon, the second largest telephone company in the United States, isn’t alone in asking for reform only weeks after the president’s directive was released.
“The nation’s cybersecurity policy framework should be structured in a way that takes into account the shared responsibility of the entire Internet ecosystem,” adds Ed Amoroso, chief security officer at AT&T Inc. — the biggest U.S. phone company.
Currently, the president’s plan requires only that the administration establishes a “framework” for privately owned entities deemed critical to the national infrastructure — such as defense contractors, utility companies and banks — to voluntarily share threat information with the government with ease. Although it does not outline a specific plan for putting that data in the hands of the government, the president has assigned a task force to determine how to do as much in the coming months. Now should telecoms intervene in the process, the info-sharing could span across all entities of the Web.
“If you’re attacking people, you go for the weakest link and the weakest link is often some commercial product,” attorney and former Homeland Security official Stewart Baker adds to Bloomberg.
The Senate Commerce and Homeland Security Committees are scheduled to meet on Thursday this week to examine the president’s executive order and consider their options with passing legislation that would mandate information sharing across the Web between businesses and Uncle Sam. And although the executive order does not require businesses to share threat information, lawmakers will examine another proposal this week that will make these interactions mandatory. Members of the two committees are also scheduled on Thursday to discuss the Cyber Intelligence Sharing and Protection Act, or CISPA, a bill that was introduced during the last congressional session but failed to gain footing.
During last month’s State of the Union, Pres. Obama said, “Congress must act as well by passing legislation to give our government a greater capacity to secure our networks and deter attacks.” CISPA was formally introduced only hours later.