By Brian Fung
Among them is the National Institute of Standards and Technology. With the private sector’s input, NIST has been putting together an obscure but important proposal to improve the nation’s resilience against malicious hackers.
Buried in the back of it is a series of recommendations that, if approved, might pave the way for stronger government oversight of businesses when it comes to their use of personal information.
They include suggestions such as figuring out what exactly a company knows about its employees and its customers; whether its handling of the information poses a security risk; and how to treat personal data in the event of an online attack.
These ideas are based on a common set of privacy principles that don’t have the force of law. But according to Stewart Baker, the NSA’s one-time top lawyer and former Bush administration official, the NIST guidelines could eventually turn into more enforceable regulations:
That’s because of how the cybersecurity executive order treats NIST’s work product. Once NIST has finished the framework, next January, the administration plans to use a wide range of incentives to get industry to adopt the framework. But the document’s effect will be felt as soon as a preliminary draft is issued in October. The executive order instructs every regulatory agency in the federal government to to review the preliminary NIST framework and report to the President on whether the agency has authority to impose NIST’s framework on the industries it regulates. If an agency lacks authority, it will almost certainly be invited to go ask for it. This means that the privacy appendix, which made its first appearance in public in the dead of August, will have a potentially irreversible effect as early as October 10, when NIST is due to issue the preliminary framework.
Baker argues that due to this possibility, the privacy guidelines have no place in NIST’s proposed framework. Perhaps it might be better for Congress to write its own privacy protections into a comprehensive piece of IT security legislation. But for more than a year, Congress has failed to agree on a bill, with privacy usually being the key sticking point. Civil libertarians hated CISPA, the
House’s proposed law, because they feared that it was overly intrusive. (The White House agreed, twice threatening a veto.) The Senate, meanwhile, has yet to unveil its version of a bill. We’re as far from a law today as ever.
Which leaves NIST’s draft framework as the next best alternative. Despite the fact that the government is assembling the document, the process for determining what goes in it has mostly been led by industry — the result of numerous comments from the private sector urging against new mandatory requirements (note: As of Oct. 11, that link to NIST is broken due to the government shutdown). NIST, sensitive to the risks of looking like it’s imposing something on corporations, has been quick to get out of the way, and industry groups ranging from U.S. Telecom to BSA — The
Software Alliance have been quick to applaud the administration on its hands-off approach.
“I’ve personally attended all four of the NIST workshops and I think there’s been great industry representation,” said John Marinho, a cybersecurity executive at CTIA — The Wireless Association. “NIST has done a very, very good job of bringing all the right stakeholders together.”
“Relative to what NIST was asked to do,” said Lockheed Martin’s Lee Holcomb, “I would give them a very good score.”
Business leaders say that Baker’s doomsday scenario seems unlikely. There are a lot of leaps between the voluntary regime being floated now and a brand-new circle of regulatory hell. For example, the principles would have to be finalized as-is and avoid being watered down (some privacy critics would say the principles are already broad and toothless). Then, to get businesses to swallow the voluntary principles, the White House would likely need to dangle additional incentives, such as promises of better liability protection. Since some of these would require an act of Congress — a body that isn’t really in a position to do anything right now — that effort would probably fail. And then, before turning the privacy principles into actual regulation, the government would need to solicit feedback from industry sources who would be pretty irate.
Chances are the final language on privacy will be weakened. But it’s better than nothing. The fact that privacy gets an explicit mention at all is significant given that prior legislation has mostly treated it as an afterthought. And some businesses, such as Microsoft, would like to see the privacy principles integrated more tightly with the cybersecurity recommendations, making them easier for smaller companies to adopt.
I’ve argued before that waiting for Congress to act against hackers is a waste of time — if fortifying the nation’s online defenses requires a federal agency to move first, so be it. And if it winds up strengthening privacy protections in the process, so much the better. At the risk of over-optimism, perhaps this agreement may even serve as the seed for a congressional compromise.