Members of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies heard from cyberscurity pros Thursday on balancing privacy with civil liberties.
The Cybersecurity Subcommittee hearing, "Striking the Right Balance: Protecting Our Nation's Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties Bookmark and Share," featured Mary Ellen Callahan, partner at Jenner & Block and former chief privacy officer at the Department of Homeland Security; Cheri McGuire, VP, global government affairs & cybersecurity policy for Symantec; and Harriet Pearson, a partner at Hogan Lovells and former IBM chief privacy officer.
In opening the hearing, chairman Patrick Meehan (R-Pa.), said the nation has made great strides in cybersecurity protection, but that the attacks are multi-pronged and growing. He pointed to the Dow Jones plunge this week after a hacked AP tweet suggesting their had been explosions at the White House that injured the President. "This is a remarkably important issue," Meehan said.
Meehan said he has reached out to ACLU and other privacy advocates so they could be instrumental in the committee's work. He said that the intent of sharing intelligence is to protect cybersecurity "and nothing else."
The committee is "not concerned with the Internet habits of ordinary Americans," Meehan said PII (personally identifiable information) "must be protected," and suggested that the Department of Homeland Security could be the "entry point" for working with industry on sharing threat information.
The witnesses generally shared that view. They were also basically in accord on what Congress could do to help find the right balance.
Ranking Minority member Yvette Clarke (D-NY) said she was also looking for the right balance. She said that many government programs do not involve collecting PII, but that where the private sector needs to share, the privacy of citizens should also be protected.
Callahan said that fair information privacy practices (FIPPS) should be part of any legislation, and that the legislation should be informed by the voluntary cybersecurity framework created by the President's executive order, calling it a useful baseline.
McGuire agreed, but added that a civilian agency-- like the Department of Homeland Security-- should take the lead on info sharing between industry and government and cited the need for liability protection for companies so that they feel comfortable sharing.
Pearson also agreed, adding that Congress should also exercise its oversight role to make sure that agencies and stakeholders are discharging their obligations.