One of the most interesting laws created by Congress was the Cyber Security Act of 2015. It was created as part of the Omnibus Appropriations Act signed by President Barack Obama that year. The Act limited government use of collected online information and how information could be shared between different nongovernment organizations and different levels of government. The bill may also have increased government oversight as well, considering the fact that the Department of Homeland Security now has increased access to networks to protect against terrorism and espionage. The Act has a “provider exception” (Kerr, 2015), which allows individual internet providers to conduct surveillance on their own networks and choose as to whether or not to disclose any information to the government. I agree with how the law was written, but I did not necessarily agree with some of the provisions included within it. After researching some of the provisions and why they were implemented it became clear that historic abuses have caused the law to be needed; however, that does not mean that the Act does not threaten the liberties of the American people.
Some of the provisions of the law were created from historical issues that the advancement of technology has brought about. For instance, the provider exception was created because of the sheer level of telephone fraud in the 1960s (Kerr, 2015). Providers of the telephone services would listen in to calls to identify the users. Courts ruled that they had the right to do so and created a responsibility to disclose only when it was necessary to the security of the network and its users. The provider exception was extended to the internet in 1986, but there was no specific law that may it statutory. Thus, the term “provider” was deemed to apply to the network manager. In 2001 Congress enacted 18 U.S.C. § 2511(2)(i), which allowed network providers to request government surveillance of network hackers if there was already an ongoing investigation. However, the Cyber Security Act allowed network providers to legally take control over the networks in conjunction with government support. However, this Act also creates a significant loss of privacy for network users, as only the courts would be able to decide when a loss of privacy and an overreach of the Act has occurred. As the trial process is typically an expensive and lengthy process, this does not create a significant level of confidence in the system.
There are a few problems with the Act that needs to be addressed. The Act has been criticized because the mandate of information sharing places the responsibility of action on the government, which can be tedious and time consuming in its approach. Cyber-criminal organizations and individuals move at a much faster rate (Tracy, 2015). Therefore, the Act does not go far enough to increase the efficiency of combating cyber security, even if it is a first step in the right direction. Another issue that bogs the Act, and indeed most bills passed by Congress, is the lack of clarity throughout the bill; this is especially true in the case of privacy. The bill does not provide specifics about what constitutes a reasonable assumption that a network has been briefed. As previously mentioned, network providers will have to individually determine as to whether or not they have the right under the current law to breach network privacy. In addition, the needs of this Act can be traced back to the creation of the Patriot Act that came as a result of the terrorist attacks that occurred on September 11. The Patriot Act increased the government’s ability to collect information about American citizens (Boykoff, 2006), with many believing that such an Act was unconstitutional. Regardless, the United States has seen an increased shift towards increased security and oversight coinciding with an increased growth of communication technology. The government and judiciary must decide what oversight is necessary while ensuring that it is also constitutional. The Cybersecurity Act increases information sharing without increasing oversight and regulations about what can be used. This is one of the largest issues about the vaguely worded act and may result in the need for precedent to be established unless the law becomes better defined and explained.
There are several positive aspects about the Act. For one, even though the Act might decrease the privacy of citizens, it does provide increased protection of the security networks within America. By allowing the network providers to monitor their own networks, the federal government does not need to dramatically increase its manpower. For one, Title I states the providers do not have a duty to share information; rather, it is their own choice to do so unless they are required to do so by the federal government. In addition, the Act facilitates sharing between government levels because it directly requires that they openly share information with each other to help identify cyber criminals (Tracy, 2015). While it is true that in most cases network providers are at an increased risk of violating the privacy of individuals, one positive aspect of this ability lies in the business sector. Businesses can better fight against corporate espionage by successfully monitoring their own networks, something that is absolutely vital in a world where China and Silicon Valley has made corporate espionage a continuous possibility. Therefore, this aspect is vital to big businesses and those that have government contracts that might have valuable or classified information.
A few changes should be made in order to ensure that the privacy of individuals is protected. For instance, network providers should be able to independently determine whether or not to investigate individuals on their networks; however, there needs to be increased legal protection as to what information can be shared. The government is already limited by what laws it can prosecute under, such as espionage. Some safeguards should also be implemented to protect what information can be used in a court of law in order to protect the individual’s rights to privacy. In a society that considers itself free and privacy a fundamental right, implementing increased accountability is completely in line with America’s values. The Act should also provide a quicker mechanism for sharing information with the US government. For instance, currently network providers are free to share whatever information that they choose; this is meant to ensure that no information is being forced or used inappropriately. If proper safeguards about what information can be used in court are implemented, it would be far more effective to require that network providers share information immediately if that information meets certain criteria; namely, a serious cyber/terrorist attack against the United States. This would establish a surveillance state unless the safeguards created are strong; however, it protects the public because network providers are no longer able to hold information if they have a bias or personal reason for doing so. Network providers should be required to share only serious information, with law specifically laying out what constitutes a serious threat, and then a specific timeline of sharing this information, such as three days. Laws like this exist everywhere within the United States, such as laws that require citizens to take a certain action under specific circumstance, such as crime reporting in some states.
Therefore, the Cybersecurity Act is very important in ensuring future cooperation and information sharing between various government agencies and levels, and increases the cooperation between private network providers and the US government. However, the issues with the Act range from its vagueness being a threat to privacy to the slowness that results from increased information sharing. While the Act might constitute a threat to individual’s privacy, there are a few changes that can be made in order to protect privacy; namely, setting standards on what information can and cannot be used in a court of law. After this has been completed, then the Act will be more successful in protecting the rights of individuals and also in protecting network security.
References:
Boykoff, J. (2006). How patriotic is the patriot act? Freedom versus security in the age of terrorism. The Journal of Politics, 68(2), 470–471. doi:10.1111/j.1468-2508.2006.00420_6.x
Kerr, O. (2015, December 24). Opinion | how does the Cybersecurity act of 2015 change the Internet surveillance laws? Washington Post. Retrieved from https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-change-the-internet-surveillance-laws/?utm_term=.fb8b1f1d63d0
Tracy, A. (2015, October 29). The problems experts and privacy advocates have with the senate’s Cybersecurity bill. Forbes. Retrieved from http://www.forbes.com/sites/abigailtracy/2015/10/29/the-problems-experts-and-privacy-advocates-have-with-the-senates-cybersecurity-bill/#6dc2ff0830fc