Over the past few years, the Obama administration and Congress have taken a variety of legislative runs at creating comprehensive cybersecurity law.
In some of the cases (like SOPA), the legislation was killed because of public outcry over its overwhelming intrusiveness and stupidity. In other cases, legislation didn't make it because them damn-fool politicians tried to weigh down the proposed laws with unrelated riders, making the bills all but unpassable.
Now, we're hearing that President Obama may issue an Executive Order covering some of the elements that were in CISPA, the most recent bill before Congress.
One area the EO can't cover, though, is information sharing. Information sharing in law enforcement and national security is essential, but in a democracy, so is privacy. The challenge is how we balance those two factors.
For example, it's important that the government have the power to compel a private organization to turn over digital records in the event of a legitimate threat (say, for example, trying to trace down a nuke hidden in one of our cities). But it's also important that the government not have the power to just willy-nilly read our email.
Likewise, it's important that a company, say Twitter, Google, or Facebook, have the legal permission to turn over some of our records in the case of a similar national security threat, but not be permitted to just sell our personal information just so they have some sort of profit model.
Fortunately, a lot of existing case law covers this, and it's probably not necessary to add a layer of cybersecurity law on top of it all.
For example, let's say the FBI is running down a credible threat and they have reason to believe that someone's Facebook account will have messages that may provide clues to the nuke's location. That's simple. Visit a judge, get a court order, and investigate. It's no different than getting a search warrant in meat space.
The issues of privacy we're dealing with aren't hard (unless you get politicians involved). They're essentially a variant of IF/THEN coding.
- IF there's a real threat, THEN this might be necessary, so let's go see a judge.
- IF we just want to pry into someone's life, THEN when we see the judge, we'll get kicked out.
- IF there's a reasonable threat, THEN we allow a company to turn over data to the government.
- IF (there's a threat deemed valid by a judge AND we can save lives by allowing two companies to share data), THEN the law can protect the liability of those two companies.
Do you see how we can codify (i.e., code) these situations into a series of relatively clear rules?
The bottom line is this: we do need better cybersecurity guidelines and laws, but we also need to reuse the code we've already got -- laws and regulations that already do what we need.