“No one should mistake the common cause of securing our homeland for authority to violate the civil liberties of Americans,” Rep. Patrick Meehan (R-Pa.), chairman of the Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, said during an April 25 hearing on Capitol Hill.
Meehan orchestrated the House hearing to discuss ways the Department of Homeland Security can prevent cyber attacks on government and critical infrastructure key resources while ensuring the privacy and protection of citizens.
In addressing these and other related issues, Meehan called Mary Ellen Callahan, partner at Jenner & Block and former chief privacy officer at DHS, Cheri McGuire, vice president of global government affairs and cybersecurity policy at Symantec, and Harriet Pearson, partner at Hogan Lovells, to testify.
Cybersecurity and privacy need to be integrated to protect U.S. assets most effectively, Callahan said. Increased cybersecurity should also translate to enhanced privacy. According to Callahan, DHS already integrates privacy with cybersecurity and incorporates fair information practice principles in all cybersecurity programs and hires trained cyber-privacy personnel.
The department also provides cyber-specific privacy training for cybersecurity analysts and federal privacy professionals and ensures the accountability of the Cybersecurity Program through privacy compliance reviews. Callahan called the DHS strategy “privacy-by-design,” which involves incorporating privacy protecting measures into DHS standard operating procedures related to cyber.
Callahan went on to advise private-sector clients to implement similar privacy-by-design strategies.
“Symantec supports an approach that allows us to share threat indicators and related nonpersonally identifiable information within industry and with the government,” McGuire said. “In our view, companies should receive legal protection for sharing appropriate information with other companies or civilian agencies, and we believe that data minimization standards are a reasonable approach.”
Despite recent legislation encouraging information sharing between government and the private sector, McGuire said businesses often receive cyber threat information days or even weeks after the threat has been identified. This information is of little value because the private sector has already taken steps to neutralize the threat.
“Information sharing is founded upon and enabled by trust,” McGuire said. “That trust is weakened when government information sharing mandates are imposed on industry. Enhanced self‐interest and a flexible approach are more likely to improve information sharing than government mandates.”
Meehan’s opening statement at the cybersecurity hearing: