This site respects your privacy. GAP will not record your IP address or browser information. A detailed privacy statement can be found here.
Protecting Whistleblowers since 1977

Business Roundtable's High-Handed Cybersecurity Plan: Shielding Corporations from Basic Accountability

Bea Edwards, January 28, 2013

800px-Hundred_dollar_bill_04This month, the Business Roundtable (BRT) posted an alarming proposal: "More Intelligent, More Efficient, Cybersecurity Protection." The BRT is an association of the CEOs of the largest U.S. corporations. Its members represent companies that collect combined annual revenues of over $7.3 trillion, so when the BRT speaks, Congress tends to listen.

In brief, the 32-page declaration on cybersecurity states the BRT’s case for a legal alliance between the private sector and intelligence agencies that will exempt corporations from lawsuits as they wage cyber warfare. 

The argument is simple: much of the American economy is privately owned: banks, chemical plants, toll roads, energy systems. If cyber-enemies were to attack and disable critical functions, the damage would be crippling. Therefore, government and the private sector must establish a new legal framework for cyber defense, and this arrangement will allow the fluid exchange of privileged information between the country’s intelligence agencies and the private corporations that sit at the Business Roundtable.

Here at GAP, where we work with whistleblowers from both the national security and the finance worlds, the prospect of secret collaboration between the two spheres is frightening. Over the course of the past ten years, whistleblowers have reported to us on cronyism, fraud, cover-up, illegality and corruption at the top of the National Security AgencyCIAAIG and many of the country’s largest banks, costing taxpayers hundreds of billions of dollars. 

Moreover, the self-interested crimes reported made the United States more vulnerable, not only to cyber threats, but also to economic collapse. 

From one whistleblower we learned the NSA shut down an effective, inexpensive program that sorted through the sea of electronic communications washing around the world daily and found threatening email and telephone connections. The NSA preferred a costly and cumbersome program built by a well-connected private sector contractor – a program that, in the end, didn’t work and had to be abandoned.

Whistleblowers at majors US banks have produced documentation showing widespread fraud in the pre-2008 mortgage origination and servicing business that wrecked the industry. We’ve also seen far-reaching incompetence, negligence and cover-ups at financial institutions that brought on the Great Recession.

Nonetheless, the BRT and the USG are proceeding down the path toward a “partnership” between national intelligence agencies and private corporations that is virtually oversight-free. In January 2013, we’re seeing the BRT proposal in pre-publication detail for the first time. Yet a couple of weeks ago, Ellen Nakashima wrote a piece in the Washington Post indicating the collaboration between US financial institutions and the intelligence community is already well underway.

In fact, the Congress tried to set this up more officially just last year but failed: H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), passed in the House last April. It would amend the National Security Act of 1947. According to the BRT, the legislation would:

[E]nable national intelligence agencies to share strategic threat assessments and other pertinent intelligence, including classified information, with private-sector entities that own or operate major information systems and other critical infrastructure systems. More important, the bill removes legal barriers to information sharing and establishes a protected framework for the bidirectional sharing of information between the public and private sectors (p. 4).

Although the legislation did not pass the Senate, the government and its private sector friends are evidently proceeding. This is never a good idea in a democracy. Insider CEOs sit down at their roundtable with select politicians and come up with a scheme for protecting and advancing their own interests, which they then announce publicly as a plan with benefits for all of us.

Because the scheme is designed to promote and protect specific interests, though, it’s not presentable in raw form. Therefore, it’s unveiled as an effort to protect us all, and it’s written in denatured bureaucratic prose that is hard to penetrate.

Let’s parse the BRT proposal just posted, for example.

The government must create a clear and concise legal framework for both private sector to private sector and private sector to public sector sharing, with appropriate liability, antitrust and freedom of information protections for those acting within the framework. All of the actions proposed by BRT depend on the advancement of information sharing and removal of current legal barriers.

“Current legal barriers” are, of course, our rights as citizens to privacy and to information about what the government is doing. What the BRT is actually proposing here is not liability, antitrust and FOIA  “protections” from just anyone. The BRT is saying it needs protection from us. Although we’re all in this together, BRT firms must be protected not only from formidable cyber criminals and hostile “nation-state actors,” but also from U.S. citizens who might ask what’s going on.

John Wonderlich, Policy Director at the Sunlight Foundation, which works for transparency in government, had this to say about the prospect of public/ private cooperation on intelligence as proposed by CISPA:

Let's make something clear. The Freedom of Information Act is the law that lets the public force the government to determine whether information should be released or not. The Freedom of Information Act doesn't guarantee that information will be released, but just that anyone can request its release, and then have a legal process to try to provide a fair ruling on whether that information should be made public. Information that shouldn't be shared is already protected by law, through largely uncontroversial exemptions.

The FOIA is, in many ways, the fundamental safeguard for public oversight of government's activities.

So as it stands, FOIA does not automatically trigger the release of information from a government agency. At GAP, where we work frequently with FOIAs, we wouldn’t argue that the FOIA is an expeditious and efficient way to obtain information. For example, when Google called on our spy agencies to help with cyber attacks in 2010, the Electronic Privacy Information Center (EPIC) filed a request for data about the deal under the Freedom of Information Act. The FOIA was denied, and when EPIC appealed, it was denied again.

Nonetheless, the BRT wants even the law that permitted the request to be diluted, just in case some judge someday decides that the public has a right to information about back-channel, high-level public/private intelligence collaboration.

Since 9/11, we’ve learned the hard way that “national security” can be used to cover a multitude of sins. Think “enhanced interrogation techniques” and Abu Ghraib. Do we really want to cast the cloak of national security over credit default swaps and the shadow banking system? 

Because that’s exactly what the Business Roundtable is proposing. And not just that. The BRT also wants much of the same legal immunities that the government has. If the proposal for this “More Intelligent, More Efficient Cybersecurity Protection” proceeds, we’re surrendering the right to ask anything about it: Like how much it costs and what it’s authorized to do – to us.
 

Bea Edwards is the Executive Director for the Government Accountability Project, the nation's leading whistleblower protection and advocacy organization.