Cybersecurity Plan May Pose Privacy Problems

WASHINGTON -- Amid published reports that a pared-down Bush administration cybersecurity policy is circulating, critics of a previous draft of the "National Plan to Secure Cyberspace" are still worried about what's in the plan, and what has been left ambiguous.

The Associated Press reported Tuesday on a White House internal draft of the cybersecurity plan that would trim the number of proposals from 86 to 49 and would cut most of the recommendations for private industry. The revised draft gives the new U.S. Department of Homeland Security most of the responsibility for ensuring Internet security, AP reported.

The White House isn't commenting on specifics in the new draft, because it's still a work in progress, but many of the changes to the draft since it was released in September are to the format of the document, rather than the content, said Tiffany Olson, deputy chief of staff for the President's Critical Infrastructure Protection Board.

Olson dismissed concerns from published reports that the new draft cuts out a recommendation to consult with civil liberties groups over privacy issues. The working draft of the cybersecurity plan strengthens its privacy protections by creating a privacy officer in the Department of Homeland Security and making privacy a "common thread" throughout the document instead of just one recommendation, she said.

The privacy officer hasn't been appointed yet. "I'm sure whoever is selected is going to be well aware of privacy issues and concerns," Olson said, when asked how privacy advocates will be assured of protection.

Wayne Madsen, a senior fellow at the Electronic Privacy Information Center, said he's more concerned about what's not in the revised draft than what's still there. Although he's not seen the new draft, Madsen said he's worried that the Bush administration is leaving the plan ambiguous to avoid controversy, so that the Department of Homeland Security can later enact policies that could allow the government to keep close tabs on private citizens.

"The danger is not what's said, but what's not said," Madsen added.

One proposal that didn't make the original draft is to license all computer security personnel at government agencies and private companies, Madsen claimed. With security workers "deputized," their allegiances might be torn between their co-workers' privacy and the government.

"They would've loved to have said that in black and white in this plan," he said. "They've obviously learned quite a bit from releasing these plans in the past."

While Madsen said he believes the licensing plan is still being considered in the White House, Olson said she's not aware of such a proposal. The draft released in September can be found on WhiteHouse.gov. Revisions continue and there is no set time for President George W. Bush to approve the plan, Olson said.

Olson noted that the plan in progress doesn't include any regulations for private industry. "Mandates create a lowest common denominator," she said. "We don't want a lowest common denominator for security."

Bob Crowley, senior vice president of encryption company Research Triangle Software of Cary, North Carolina, said he would welcome fewer recommendations in the Bush plan because the original draft showed a "lack of understanding of the way software is made and distributed."

Crowley questioned earlier recommendations for the tech industry to create a national clearinghouse for security patches and for companies to share their security procedures with their industries. "I don't think that's a good idea," he said. "If you tell somebody, it's no longer secure."