Top lawmakers in Washington recently talked about reconsidering cybersecurity legislation — legislation that has failed to become law multiple times.
While President Barack Obama’s executive order is making progress in attempts to shore up some cybersecurity weaknesses, difficult questions remain, particularly regarding personal privacy. We don’t have to compromise our personal privacy for the sake of security. With a forward-thinking cybersecurity policy, we can keep ourselves safe and sustain our individual freedoms.
Information networks — such as the Internet — provide unprecedented opportunities for individuals all over the world to meet their potential. But that interconnectedness also creates great security vulnerabilities for the United States. Our banks, power companies and telecommunications networks are all networked and have been targeted with malicious intent.
The government, however, can’t protect them alone because most of these assets are privately owned. That is one reason the director of national intelligence called cybersecurity the greatest threat to America’s security.
For private companies, one way to reduce the threat of cyberattacks is to share information with government agencies. This enables our security and law enforcement officials to create a fuller picture of potential threats, reduce the impact of ongoing threats and possibly prevent some future attacks. Sharing information won’t create a threat-free environment, but it can create the conditions for the government to help businesses protect themselves.
It’s important to note, however, that there’s a right way to share cyber-threat information and a wrong way to share cyber-threat information.
The right way to share information is consistent with traditional American values, respects personal privacy and ensures continued freedom of speech. The wrong way is to assume that we must cede all of our personal privacy to remain safe. We can make the Internet more secure without giving up our personally identifiable information.
In fact, our security leaders say they don’t need access to our personal information to protect cyberspace. They just want to know that there are attacks, and the nature of those attacks, so they can help others protect themselves. This can be done by limiting information shared to technical details — like malicious codes and IP addresses — as opposed to sharing emails and other personal items.
By ensuring information shared with the federal government is anonymous, we can protect ourselves at home and lead by example — consistent with American values — abroad.
If we concede that it’s necessary to share the content of our communications to secure ourselves, other countries will follow our lead and use our example as a pretense for creating similar policies. The fallout will be detrimental. Freedom of speech will be stifled as personal communications are shared with national governments. Authoritarian countries will cite our policies as they suppress democracy movements grappling to take root.
The better path is to lead by example. We can ensure that information networks enable hope and opportunity around the world without sacrificing our security.
Some will argue that information should be shared with the government wholesale. But better securing cyberspace doesn’t require knowing what we write in our emails. We can do both. We can make information anonymous before it’s shared with the federal government and limit the purposes that information can be used for.
Sharing can easily be incorporated into a company’s network architecture. This will enable us to keep cyberspace as an enabler of innovation and debate, without damaging businesses’ bottom lines. To the contrary, it’s in businesses’ best interests to assure customers that their information is being protected. In short, we can secure the cyber-domain without sharing the content in it.
As our elected leaders once again try to pass cybersecurity legislation, they should commit to doing so in a way that maintains freedom of speech.
Information that helps protect against ongoing and future cyberattacks can be shared without identifying individual Americans.
American security consistent with American values: That’s one idea Democrats and Republicans can support.
Matthew Rhoades is director of the Cyberspace & Security Program for the Center for National Policy and the Truman National Security Project.