Weeks of revelations about secret U.S. surveillance programs could stymie progress on negotiations over new laws and regulations meant to beef up the country’s defenses against the growing threat of cyber attacks, cyber security experts say.
Current and former cybersecurity officials say they worry the ongoing disclosures about secret National Security Agency spying programs by former NSA contractor Edward Snowden could trigger hasty or rash actions by Congress or the private sector, hampering efforts to enact an effective cyber policy.
The Obama administration, lawmakers and the private sector in recent years have been negotiating how the government and industry should partner to protect critical infrastructure like power plants against a growing threat of cyber attacks.
Despite the emerging consensus that U.S. cyber defenses must be improved, the conversation has sputtered amid disagreements about liability and privacy protections, the creation of new industry standards and other critical elements.
Now, cybersecurity leaders say the leaked details of the vast scope of NSA’s online data gathering may hamper efforts to draft cyber policies, such as greater information-sharing between government and industry.
“It’s opened up a big can of worms about what the government’s role is, which is already a big open question in cyberspace,” said Bruce McConnell, the Department of Homeland Security’s Acting Deputy Undersecretary for Cybersecurity. “I don’t think this is going to be helpful in making Congress, who tends to be risk-averse, forge new policy agreements.”
“The Snowden revelations have made the Congress more uncomfortable with providing clear authorities to the government,” McConnell told Reuters on the sidelines of the SINET Innovation Summit in New York on Tuesday.
The House of Representatives made the first legislative challenge to NSA’s data gathering in July through an amendment to the defense appropriations bill.
The proposal, opposed by the White House and the intelligence community, failed by a narrow 12-vote margin. In private conversations, government officials said they hope Congress does not “let a good crisis go to waste.” Instead, they want to use the heightened public attention to cyber operations to spur a constructive conversation about better cybersecurity.
“It is sensitizing people to ask the question, ‘what is the role of government?’ It’s forcing that dialogue to happen,” Douglas Maughan, who runs the cybersecurity division at the Department of Homeland Security’s Science and Technology Directorate, told Reuters at SINET.
The House recently passed a bill that would increase the sharing of cyber threat information between the private sector and the government. But in a repeat of last year’s failed attempt to pass such a law, the White House has threatened to veto the bill over privacy concerns. The Senate has yet to introduce its version of an information-sharing bill.
Both Maughan and McConnell, who is leaving DHS for the EastWest Institute, a think tank focused on conflict resolution, said Snowden’s revelations have so far not hurt the department’s cybersecurity partnerships with the private sector. But they expressed worries about what Congress might do next.
“That’s the concern, that people are going to have a knee-jerk reaction and try to rush a legislative remedy,” Maughan said.
Mark Weatherford, who preceded McConnell at the DHS before joining the Chertoff Group consulting firm this year, said the lack of major NSA-related legislative proposals shows appreciation of the value of digital intelligence gathering, which officials say has helped thwart numerous terrorist plots.
But he agreed that public concerns over the scope of government surveillance online convolute policy progress.
“We are in a more complicated debate now,” Weatherford said. “It’s going to take a couple of years to recover from the perception that the government is overreaching.”
Some private sector cybersecurity executives also concede that trust in government’s handling of private data has suffered from Snowden revelations. They echoed concerns about an erosion of trust expressed by prominent hackers and cyber experts at two major security conventions in recent weeks.
“All the policies are stepped backwards,” SINET founder Robert Rodriguez told Reuters. “You’ve got to build the trust again.”
(Reporting by Alina Selyukh, editing by Ros Krasny and David Gregorio)