As is the case with many large institutions, federal agencies are playing catch-up with advances in technology, though some are succeeding better than others. On July 31, 2012, we learned from Gregory C. Wilshusen, director of information security issues at the U.S. Government Accountability Office (GAO-12-96IT), that “Federal Law Should Be Updated to Address Changing Technology Landscape.” Two days later, the Cybersecurity Act of 2012 (S.3414) failed to win a cloture vote that would allow the Senate to vote on the bill before the August recess. (This came a mere week after “the head of the National Security Agency reported a 17-fold increase in cyber attacks against our most vital and valuable industries.”) The testimony and the bill address privacy issues that should concern every American who has dealings with any federal agency. However, the GAO report indicates that many privacy issues remain unaddressed, and 100 senators have left Washington for vacation without voting on S. 3414. The Senate will likely take up the bill in the fall though consensus among the players, and thus passage, is far from assured.
Benefits of Updating the Privacy Act
Technology has advanced since the Privacy Act became law in 1974, changing “the way information is organized and shared among organizations and individuals.” Requirements directed at individual agencies do not address the needs of a government that collects, uses, discloses, and shares personal information among multiple agencies today. The E-Government Act of 2002 enhanced the protection of personal information in government systems or information collections, requiring that agencies conduct privacy impact assessments (PIA) analyzing how personal information is collected, stored, shared, and managed.
The current GAO study identified three areas of concern:
- Applying protections consistently to all federal collection and use of personal information. The report recommends revising the scope of existing laws to cover all personally identifiable information collected, used, and maintained by the federal government.
- Ensuring that use of personally identifiable information is limited to a stated purpose.
- Establishing effective mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of notices.
Data breaches at federal agencies pose a serious threat to national security and the privacy of individuals’ personal information. Existing laws “may not consistently protect personally identifiable information,” but one easy fix would be to revise “the system-of-records definition to cover all personally identifiable information collected, use, and maintained systematically by the federal government.”
Incidents of computer security breaches have skyrocketed in recent years, not only among federal agencies, but in the commercial sector as well. While there is some controversy concerning the financial impact on the economy—Symantec says theft of intellectual property costs American companies $250 billion a year; McAfee estimates global cost of cybercrime to be $1 trillion—all predict increases in the future as computer scientists attempt to keep pace with ill-doers. Phishing accounts for over half of all incidents reported to U.S. Computer Emergency Readiness Team (USCERT) in 2011; incidents reported to US-CERT by federal agencies in FY2011 can be categorized as follows:
- Unauthorized access
- Denial of service
- Malicious code
- Improper usage
- Scans, probes, and attempted access
- Under investigation/other
For a detailed review of 43,889 computer security incident reports by federal agencies, as well as implementation of OMB guidance concerning computer security, see the Office of Management and Budget (OMB) latest annual, Fiscal Year 2011 Report to Congress on the Implementation of the Federal Information Security Management Act of 2002 (FISMA).
Sponsored by Sen. Joseph Lieberman (I-CT), S. 3414 would create “mechanisms for sharing cyberthreat information between government and businesses, and would set voluntary cybersecurity standards for companies that run critical infrastructure such as power grids.” Initially, the bill faced stiff opposition from Republicans in the Senate, various industry groups, and civil libertarians who were concerned about personal dossiers being collected by the National Security Administration (NSA), a claim denied by GEN Keith B. Alexander - Commander, U.S. Cyber Command/Director, NSA/Chief, CSS at last month’s DefCon meeting of hackers in Las Vegas.
The Senate bill, including many of its amendments addressing the concerns of business, security professionals, and privacy advocates (e.g., ACLU), has much in common with four House bills adopted in April, including “removing barriers to information sharing with privacy protections, pushing the federal government to do a better job of protecting its own networks through continuous monitoring, and increasing the focus of federal research and development in cybersecurity. These change would immediately begin to make a difference right away…that will help make our country more secure and is therefore worth doing.” Sen. Lieberman declared his anger about the failure of the Senate to vote on the bill stating, “[W]hat’s at stake here is the security and prosperity of the American people.”
Individual Agencies Continue to Address the Privacy Concerns of Americans
As the Senate and Congress deal with government-wide issues, individual agencies are taking steps to address concerns that affect their constituencies in light of changing technology. For example, the FTC is seeking comments on proposed changes to the Children’s Online Privacy Protection Act of 1998 (COPPA) beyond those proposed in September 2011 that would “strengthen its protections for the online collection, use, or disclosure of children's personal information,” clarifying “the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (‘plug-ins’) collect personal information from users through child-directed websites or services.” (Comments can be submitted through Sept. 10, 2012 at https://ftcpublic.commentworks.com/ftc/2012copparulereview.)
Ensuring the privacy and security of personal information collected by federal government agencies, preventing cyberattacks on systems that maintain this information and share the information among agencies, and conducting research to allow the government to prevent cyberattacks in the future is a responsibility of government that all Americans can support. Updating federal laws, providing guidance to federal agencies concerning best practices that strike “an appropriate balance between privacy concerns and the government’s need to collect information,” as well as “implementing sound practices for securing” essential national assets against malicious cyberattack can be achieved throughout the government through review and updates of regulation and legislation, and continuous improvement programs at the individual agency level.