Last year, the Administration made its views on the importance of privacy and civil liberties clear during deliberations on cybersecurity legislation. The Administration declared, “Cybersecurity and privacy are not mutually exclusive.” It also affirmed its commitment that “[t]he sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties….”
Today, as we roll-out the Executive Order on Improving Critical Infrastructure Cybersecurity, the Administration is just as resolute about adhering to those ideals.
As Deputy Secretary Lute and General Alexander have emphasized, one of the most important aspects of the Executive Order is its emphasis on improving government mechanisms for providing timely cyber threat information to the private sector. For example, the Executive Order explicitly adopts a “whole-of-government” policy to increase the volume, timeliness, and quality of cyber threat information that is shared with the U.S. private sector so that they may better protect and defend themselves against cyber threats. In that vein, the Order mandates expansion of the Enhanced Cybersecurity Services initiative—a voluntary program that provides classified cyber threat information to appropriately cleared personnel employed by private sector owners and operators of critical infrastructure. In addition, the Order requires the Department of Justice, the Department of Homeland Security, and the Office of the Director of National Intelligence to declassify cyber threat intelligence reports that target U.S. entities and to establish a process for rapidly notifying those entities of cyber threats. These are critical initial steps that the government must take to assist private sector companies in defending their systems and networks from escalating, evolving, and increasingly sophisticated cyber threats. In taking these steps to improve the flow of cyber threat information, however, we must not lose sight of our commitment to secure individual privacy and civil liberties as we do it.
How will we ensure that information received and disseminated under the Executive Order is protected consistent with our commitment to protect privacy and civil liberties?
We will do so by ensuring that our cybersecurity activities are conducted in a transparent manner with the guidance and oversight of officials trained to safeguard privacy and civil liberties. Under the Executive Order, each federal department and agency is required to develop and implement privacy and civil liberties safeguards in concert with their cybersecurity activities. Each agency’s senior officials for privacy and civil liberties are required to conduct assessments of those safeguards and their implementation. Those assessments will be shared with DHS’ Chief Privacy Officer and Officer for Civil Rights and Civil Liberties for inclusion in a public report. That report will be produced in consultation with the Privacy and Civil Liberties Oversight Board and reviewed annually.
The Executive Order includes another important feature designed to ensure that federal agencies take a consistent and thorough approach to identifying and mitigating potential privacy impacts of cybersecurity activities. In particular, it requires agencies to conduct their assessments using the well-established Fair Information Practice Principles—also known as “FIPPs.”
So what are the “FIPPs”? FIPPs are the widely-accepted framework of principles used to assess and mitigate privacy and civil liberties impacts of information systems, processes, or programs. They consist of eight interdependent principles— Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, Accountability and Auditing.
The FIPPS provide an objective set of principles, but they also permit agencies to apply those principles in the context of their differing authorities and missions. They are not a new invention of this Executive Order. Rather, they are time-tested and universally recognized principles that form the basis of the Privacy Act of 1974 and dozens of other federal privacy and information protection statutes. They continue to be used prominently today, including in the White House’s National Strategy for Trusted Identities in Cyberspace and the Consumer Privacy Bill of Rights.
In closing, I want to emphasize the Administration’s commitment to doing this right—which is demonstrated by the Executive Order itself. This Order sets the direction for responsible, effective cybersecurity standards and information sharing, while preserving individual privacy and civil liberties and ensuring transparency and accountability to the American public we seek to protect.