The Lieberman-Collins Cybersecurity Act of 2012 attracted its share of negative press and criticism, so it’s with a certain sense of victory that Sen. Joe Lieberman has revamped the bill as Cybersecurity Act of 2012 (S. 3414). Though it is an improvement upon its former incarnation, addressing the major privacy concerns raised through Internet user protest, S. 3414 is far from perfect.
As EFF notes:
Make no mistake – we remain unpersuaded that any of the proposed cybersecurity measures are necessary and we still have concerns about certain sections of the bill, especially the sections on monitoring and countermeasures. But this was a big step in the direction of protecting online rights, and we wouldn’t be here without the support of Internet users contacting Congress in droves.
Lieberman, however, seems quite pleased with the result, which should help the bill pass through the Senate.
“We are going to try carrots instead of sticks as we begin to improve our cyber defenses,” Lieberman, said in an e-mail statement. “If that doesn’t work, a future Congress will undoubtedly come back and adopt a more coercive system.” Either way, Lieberman is getting what he wants.
The carrot approach is an incentive-based program to encourage operators of critical infrastructure to improve defenses against cyber attacks.
This bill would empower neither the NSA nor the Department of Homeland Security but private entities to insulate themselves from cyber attacks. It would also limit the circumstances under which user data would flow to the government: 1) in the event of a cybercrime investigation, 2) an imminent threat of death or bodily harm, and 3) a threat to minors or to physical safety.
No doubt the best part of the bill is the provision which would prohibit user data collected in cybercrime investigations to be used in investigating and prosecuting other unrelated crimes. For instance, if user data was passed along to the government as part of a cybercrime investigation, it could not be used to investigate or prosecute a crime dealing with drugs.
EFF notes that the bill also “makes it clear that Constitutionally-protected free speech and terms of service violations won’t constitute a ‘cybersecurity threat.’” But EFF and other privacy advocates are criticizing the “cybersecurity excuse” that allows entities to carry out nearly unlimited monitoring of user data or counter-measures, such as blocking or dropping packets (when data heading to and from a website does not reach its destination).
