President Barack Obama played his cards right with the recent roll-out of the Executive Order for Improving Critical Infrastructure Cybersecurity. He floated the Order back in November so folks wouldn’t be surprised and he waited for a cybersecurity bill to stumble and then he rolled his Order out with pomp and ceremony in his State of the Union address. The President has succeeded where the Congress has thus far failed, and the biggest reason for that success is privacy. It turns out that not only do folks care about privacy; it can be the difference between winning and losing.
The Cyber Intelligence Sharing and Protection Act (CISPA) was introduced in 2011. It got through the House but died in the Senate. Some say it died because the Senate was working on its own bill. Others say it died because the President wanted to roll out his Executive Order. I say it died because it didn’t incorporate privacy.
If you look at the Executive Order and CISPA, there are similarities. They both talk about information sharing in terms of the Government and private sector sharing information on cyber threats, and both focus on the critical infrastructure protection.
But CISPA and the Executive Order also have big differences. CISPA goes beyond the protection of critical infrastructure and national security threats. It also covers information sharing for the purpose of preserving a person’s physical safety and preventing any cyber security crimes. There are a lot of ways folks can be hurt and there are a heck of a lot of cybercrimes. That means the scope of CISPA is much broader than the Executive Order. Folks aren’t looking for another Patriot Act, and CISPA was starting to feel like a return to the land of warrantless searches of electronic content for broader purposes.
Another big difference between the Executive Order and CISPA is the focus on privacy. In his State of the Union address, the President said, “I signed a new executive order that will strengthen our cyber defenses by increasing information-sharing and developing standards to protect our national security, our jobs, and our privacy.” National security and jobs are two of the biggest things that keep Presidents up at night. The fact that he included privacy along with national security and jobs is major.
The Bill and the Executive Order also read very differently from a privacy perspective. I’m not claiming this is a scientific way to test for privacy sensitivity, but the Executive Order mentions privacy fourteen times in five pages. CISPA mentions privacy three times in twenty-seven pages. On a more substantive level, the Executive Order ties Federal Agencies’ use of information to the Fair Information Practice Principles. It says that the Chief Privacy Officer of the Department of Homeland Security will perform privacy risk assessments and consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB); and it states that the Cybersecurity Framework will be designed to protect individual privacy and civil liberties. CISPA doesn’t contain these privacy niceties.
Companies have come a long way in realizing that if you build privacy into the design of products and services and embed privacy throughout the life cycle of technologies—from the early design stage to their deployment, use and ultimate disposal—that you’ll make customers happy. And happy customers will spend more money with you and support your products. The concept is called “Privacy by Design.”
With Barack Obama’s Executive Order on cybersecurity, we see what “Privacy by Design” can do for political success.