[…]
Around the
time that CISPA was originally introduced in late 2011, NSA, DOD, and DHS
officials were actively meeting with the aides on the House Intelligence
committee who drafted the legislation, the internal documents show. The purpose
of the meeting, one e-mail shows, was to brief committee aides on "cyber
defense efforts." In addition, Ryan Gillis, a director in DHS's Office of
Legislative Affairs, sent an e-mail to Sen. Dianne Feinstein (D-Calif.),
chairman of the Senate Intelligence committee, discussing the pilot program
around the same time.
AT&T and
CenturyLink are currently the only two providers that have been publicly
announced as participating in the program. Other companies have signed a
memorandum of agreement with DHS to join, and are currently in the process of
obtaining security certification, said a government official, who declined to
name those companies or be identified by name.
Approval of
the 2511 letters came after concerns from within the Justice Department and
from industry. An internal e-mail thread among senior Defense Department,
Homeland Security, and Justice Department officials in 2011, including
associate deputy attorney general James Baker, outlines some of the obstacles:
[The
program] has two key barriers to a start. First, the ISPs will likely request
2511 letters, so DoJ's provision of 3 2511 letters (and the review of DIB
company banners as part of that) is one time requirement. DoJ will provide a
timeline for that. Second, all participating DIB companies would be required to
change their banners to reference government monitoring. All have expressed
serious reservations with doing so, including the three CEOs [the deputy
secretary of defense] discussed this with. The companies have informally told
us that changing the banners in this manner could take months.
Another
e-mail message from a Justice Department attorney wondered: "Will the
program cover all parts of the company network -- including say day care
centers (as mentioned as a question in a [deputies committee meeting]) and what
are the policy implications of this?" The deputies committee includes the
deputy secretary of defense, the deputy director of national intelligence, the
deputy attorney general, and the vice chairman of the Joint Chiefs of Staff.
"These
agencies are clearly seeking authority to receive a large amount of
information, including personal information, from private Internet
networks," says EPIC staff attorney Amie Stepanovich, who filed a lawsuit against
Homeland Security in March 2012 seeking documents relating to the program under
the Freedom of Information Act. "If this program was broadly deployed, it
would raise serious questions about government cybersecurity practices."
In January,
the Department of Homeland Security's privacy office published a privacy
analysis (PDF)
of the program saying that users of the networks of companies participating in
the program will see "an electronic login banner [saying] information and
data on the network may be monitored or disclosed to third parties, and/or that
the network users' communications on the network are not private."
An internal
Defense Department presentation cites as possible legal authority a classified
presidential directive called NSPD 54 that President Bush signed in January
2008. Obama's own executive
order, signed in February 2013, says Homeland
Security must establish procedures to expand the data-sharing program "to
all critical infrastructure sectors" by mid-June. Those are defined as any
companies providing services that, if disrupted, would harm national economic
security or "national public health or safety."
Those could
be very broad categories, says Rosenzweig, author of a new book called "Cyber
War," which discusses the legality of more widespread monitoring of
Internet communications.
"I think
there's a great deal of discretion," Rosenzweig says. "I could make a
case for the criticality of several meat packing plants in Kansas. The
disruption of the meat rendering facilities in Kansas would be very disruptive
to the meat-eating habits of Americans."
[…]
No comments:
Post a Comment