Digital Version of November/December 2014 Print Edition
Privacy group urges rules distinguish between Cyber crime and Cyber terror
A privacy group urged the federal agency charged with drawing up a national framework for Cyber security protections to make distinctions between criminal activity and terrorist threats on the Internet.
In April 8 comments filed with the National Institute of Standards and Technology’s request for information on that agency’s development of a Cyber security platform under president Obama’s executive order, the Electronic Privacy and Information Center, said the distinction is critical to effective, proportionate response.
“The overwhelming majority of Cyber security incidents do not fall within the ‘national security’ designation. As Deputy Secretary Lute has noted, cyberspace should not be managed like a warzone,” said EPIC.
EPIC, which also pushed for solid privacy and civil rights protections based on DHS privacy policies and the president’s “Fair Information Practices (FIPs), said most Cyber security issues amount to civilian crimes committed in cyberspace and are best handled by state and local law enforcement and not as matters of national security. Misappropriation of intellectual property, cyber-espionage, and hacktivism, don’t pose national security threats and should not be treated as such, it said.
Instead, it said the Cyber security framework should focus on reducing risks to critical infrastructure, which it defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
According to EPIC, only when Cyber security incidents encompass those parameters are they properly classified as Cyber terrorism and fall under national security.
“Too often claims of national security tip the transparency-secrecy scale towards secrecy; thus the Cybersecurity Framework should clearly define what encompasses national security threats. Even those aspects of the Cybersecurity Framework that do fall under national security should be transparent whenever possible,” said EPIC.