Speaking at a policy debate Wednesday at The Heritage Foundation, a representative of the American Civil Liberties Union (ACLU) warned that a bill currently being considered by the House Select Committee on Intelligence would intertwine the National Security Agency (NSA) with corporate America, exposing vast amounts of private civilian data to unprecedented levels of monitoring, all in the name of “cybersecurity.”
H.R. 3523, introduced last year by Rep. Mike Rogers (R-MI), purports to help safeguard American corporations from espionage and cyber crime by allowing the NSA and other federal spy agencies to work directly with large corporate players, funneling them classified information on threat assessments to enable companies to defend themselves.
While the bill is openly supported by companies like AT&T, Lockheed Martin, Microsoft, Facebook, Boeing and Intel, ACLU legislative counsel Michelle Richardson cautioned Wednesday that it is not something to be taken up lightly.
“[The Rogers bill] will encourage companies to share personal and private data with the government,” she said. “And then with very little oversight, allow the information to be used in a number of different ways.”
“If you put the government int he middle of an information sharing scheme, it is absolutely critical that you clarify that it must be run by a civilian agency,” Richardson added. “One of our biggest criticisms of the Rogers bill is that they either explicitly say information should go to the National Security Agency and Cyber Command, or they’re otherwise silent and allow companies to choose where they want to send information, including to these different military facilities.”
Rogers contended that the NSA is full of “brilliant” people who “spend their day trying to figure out what the bad guys are doing to people, and what potential bad things are out there that we ought to be looking for.”
“Imagine how much stronger [U.S. corporations] would be if we let them know what the enemies are up to, and allowed them to see it in a very classified way, so that they can apply that knowledge to their networks and protect that network,” he added.
While it may sound good to some, Richardson countered that Rogers’ plan breaks with American tradition by explicitly using a military organization for domestic purposes.
“It’s a longstanding American value that the military does not operate on U.S. soil, and that’s what we’re really talking about here with these cyber security programs: domestic, civilian Internet use,” she said. “It is wholly inappropriate to have the military at the center of receiving, processing and distributing that information.”
Richardson also stressed that should Congress commit to using the government as an information sharing apparatus for corporate America, it must very narrowly define how information is shared and limit exceptions to privacy laws to extraordinary circumstances only.
The ACLU also recommended in a letter published in December that Congress take special care to require that all personally identifiable information be removed from information shared with its cyber command, to protect against the potential for abuse. They also asked for an oversight structure that produces regular public reports on the program.
“We’re very happy to see that the Obama Administration agrees, and they’ve spent the last several years making sure that these sorts of civilian domestic cyber security operations are going through [the Department of Homeland Security] and not the NSA,” Richardson said.