The new cyber strategy could provide allies with Americans’ information gathered under proposed legislation.
As Ashton Carter unveiled the Pentagon’s new Cyber Strategy last week, he underscored its importance by revealing that DOD networks had been infiltrated by actors within Russia. The defense secretary did not emphasize a provision of the strategy that could send private data about U.S. citizens and companies to foreign militaries.
Here’s what it says: “To improve shared situational awareness DOD will partner with DHS [Department of Homeland Security] and other agencies to develop continuous, automated, standardized mechanisms for sharing information with each of its critical partners in the U.S. government, key allied and partner militaries, state and local governments, and the private sector. In addition, DOD will work with other U.S. government agencies and Congress to support legislation that enables information sharing between the U.S. government and the private sector.”
The new strategy indirectly, but unequivocally, ties into information-sharing legislation that’s slowly making its way to the President’s desk. Among the various bills moving around Capitol Hill, the most important is the Cyber Information Sharing Act. Among other things, CISA would protect companies from being sued for sending data about their users to DHS, which would be permitted to send it in real time to DOD and other U.S. agencies and outfits. In turn, DOD’s new strategy claims the right to to share cyber threat data beyond the United States. Presumably, that would include information obtained via CISA.
In particular, the new strategy pledges DOD cyber assistance, including information sharing, to allies in the Middle East. “As a part of its cyber dialogue and partnerships, DOD will work with key Middle Eastern allies and partners to improve their ability to secure their military networks as well as the critical infrastructure and key resources upon which U.S. interests depend. Key initiatives include improved information sharing to establish a unified understanding of the cyber threat, an assessment of our mutual cyber defense posture, and collaborative approaches to building cyber expertise.”
For his part, the nation’s top cyber warrior is openly pleading for new info-sharing laws. “We’ve got to get cyber-information sharing legislation passed,” Adm. Michael Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said earlier this month at an Armed Forces Communications and Electronics Association event. Rogers said his ability to share information with the FBI was key to fingering North Korea as the perpetrator of the Sony hack.
Robyn Greene, who serves as policy counsel for the Open Technology Institute at the New America Foundation, argued that the bills would allow companies to collect and share a lot more information about the people that they interact with online. Moreover, there would be few limits on how the U.S. government could use that information. It could, for example, be used to investigate or prosecute crimes that have nothing to do with stopping hacks.
“This authorization would not just seriously undermine Americans’ Fourth Amendment rights, which would otherwise require the government to obtain a warrant based on probable cause to access much of that same information, it would create an expansive new means of general-purpose government surveillance. (Sec. 5(d)(5)(A)),” she wrote.
Mark Jaycox, a legislative analyst at the Electronic Frontier Foundation, has made similar arguments. “Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted … It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information.”
Full article: How the Pentagon Could Soon Share Americans’ Data With Foreign Militaries (Defense One)