privacy information center e and larry clinton of the internet security alliance. this is part three of a month-long series on cybersecurity. >> host: and this is week three of the communicators series on cybersecurity. this week, we're talking with interest groups who have a stake in cybersecurity issues. first up, marc rotenberg of the electronic privacy information center. he's the executive director there, and we want to talk to him about the privacy concerns from the white house cybersecurity proposals. when you look at what the white house has released over the past few months earlier this summer, where do your concerns lie when it comes to privacy? >> guest: a lot of what the white house has done with proposals is actually pretty good. it's a complicated topic, a lot of different agencies that need to be consulted, and i think the white house has done a good job of coordinating across several agencies. the key issue for many

americans, how to security in cyberspace. there's civil liberty issues here because the white house is also claiming some new authority for the government to collect information on how people use the internet as well as some new authority to intercept private communications, and we understand why they do that, but rethink when the activities are looked at closely, the need for clear legal standards really becomes apparent, and i would begin by saying one of the key privacy concerns is that when the government takes these powers, they have to be very clear legal reasons and clear accountability and oversight. >> host: in response to what the white house released, you said or ethics said there should be legal standards, not voluntary guidelines. >> guest: yes. this is a key point. you see, the white house is trying to address privacy and civil liberty concerns.

i hear a lot about this, and i think they are genuinely recognizes that these are important issues, but at the same time, they seem to be a bit reluctant to take the type of meaningful steps we would like them to take, so, for example, you could update the federal wiretap law. i mean, it's been 25 years since there has been significant amendments to that act. people are using communication technologies in new ways, and the white house could say in conjunction with our cybersecurity efforts, we want to update that law to provide the same kind of protections we tried to establish 25 years ago. you probably need some new types of oversight. you got government collecting information in new ways, and those kinds of concrete proposals on the privacy and civil liberties side are missing. >> host: timely before we get the guest reporter involved, you talked about new authority that the white house calls for. can you give us an example of that. >> guest: well, the department of homeland security is pursuing

new security techniques which they call first intrusion detection, and then up tryings prevention. i think the name for the project is einstein three. what they are trying to do is to identify specific activities on the internet that looks malicious, and they want to have better tools to identify that activity and to prevent it, but that technique also gives the government new ways to capture information online, and our obvious question is how else might that technique be used, and i would say before we go to gautham, the other point is we've recently seen how governments use these authorities in ways that cause us concern, and this is not just about china and the fire wall that rocks access and suspended access for a period of time, and now we have the prime minister

of great britain talking about limiting access to social networking services, and year in the united states, the transfer of authority in the san fransisco bay area turned off cell phone towers concerned about political protests, so i think we need to recognize the significance of some of the recent developments when talking about this particular policy which is probably a bit abstract to some of your viewers. >> host: a technology reporter with the hill newspaper. >> guest: thanks, peter. mark, you touched on this briefly, the government shutting down portions of the internet, obviously a hot topic given the protests in the middle east and the violence in london. this plan doesn't specifically seem to address whether or not the president can intercede, however, the president does have the authority to take action in private networks under a very 1941 i believe provision of the

communications act. does epic have reaction to that? >> guest: one the policy debates i think people in washington just love. the heading for this, of course, is the internet kill switch, and the big concern that people had when they first looked at some of the proposals for cybersecurity, and i think it was the legislative proposals on the hill was that somehow the president would go down to the basement of the white house and flip this big switch to the off position, and the internet would stop working. i think that couldn't happen realistically for lots and lots of reasons. the internet is not designed in that way to centralize that type of control. when it happened in e gent last year, that was mostly because there was four access points to the internet that made it possible for egyptian government to do that. i don't think that can happen in the u.s.. what the question goes to is i think an interesting point is what type of authorities would the president have in a genuine cyberwarfare scenario.

that mirrors other debates taking place right now about when does the president need to go to congress and what can he do on his own authority. the white house has to think about those issues because we found ourselves in a cyberwar seniors scenario, the president would have to make some decisions particularly if the internet was, you know, part of the battlefield. >> host: i think a lot of people are wondering if we were to see, and fortunately that's not the case, but events similar to what we see in london right now or even the san fransisco transauthority as mentioned, is this something under the proposal in you view that could take place? could the federal government shut down portions of a social media site if used to provoke violence? >> guest: difficult to do, but there's experience in the united states that's a bit of a warning, you might say, and that's surrounding wikileaks. when the u.s. government began to express concern about

wikileaks' activity and you had the secretary of the state clinton and senator lib -- lieberman talking about the problem there, they talked about companies that were providing cloud-based services to wikileaks enabling support directed towards wikileaks, and we began through the freedom of information act to explore the question was the u.s. government actually putting a little bit of pressure on u.s. firms to back off support for an organization that they believed was controversial, so i think there are ways that this could happen. i don't think it would be so dramatic. as i said before, of cutting off access to the internet, but there's other ways to accomplish similar goals. >> guest: switching gears a little bit. in your view, does this proposal seem consistent with the administration's previous actions with regards to collecting data both online and off because there are privacy advocates who visit sized this

administration as consistently pushing to increase law enforcement's eighty -- ability to access community data. >> guest: it doesn't go as far as it should go. i think that's the view generally held across the privacy and consumer imbrues -- user community. the white house could be doing more to promote specific legislation. the white house talks a lot about self-regulation, another way of saying they hope the problem will solve itself, but i don't think most people who experienced identity theft or read about the recent intenses of security breaches feel the problem is solving itself, so we would like to see them do more to the extent that it's been consistent and not setting out a legislative agenda, i guess, that's true, but not so good for us. >> host: marc rotenberg, when you read through the white house proposals on cybersecurity and see the references to private

industry and public-private partnerships, does that concern you? >> guest: well, here what the white house is trying to do is manage the relationship with the private sector in a way to maintain private sector support, so, for example, the private sector has said they don't want a legislative mandate. they don't want to government to take over some of the critical infrastructure that they are responsible for. the white house and the department of homeland security is concerned that if some of those networks for example, that remoltly operated electronic grids, let's say or water supply or gas supply, much of this today is now tied into the internet, and so you begin to think about scenarios where those are vulnerabilities, and the white house has the responsibility to safeguard those critical functions, so what they tried to do with the private sector is say, we want to work with you, you need to provide us information, we will provide you with information, but from the perspective, it

creates risk because now you may have data pout user activity moving back and twort between the private company and government without any kind of real independent oversight, and in that relationship, we've said there has to be the consideration of the user of the consumer. >> host: does the white house cybersecurity proposallings, should they address penalties for privacy breaches? >> guest: they do, but in a way actually we do not support because part of the agreement in the proposal to get the information from the private sector over to dhs is to immunize the private sector companies disclosing information about their customers and about their users for many liability. now, if you're a user or a customer of one of these companies who is not the subject of criminal investigation, you might wonder why you data ended up at the department of homeland security, and the only real way you have to effect change in that practice would probably be to bring a lawsuit, so if the

white house immunizes the companies which is, by the way, similar to what president bush did around the, you know, patriot act amendments when the losses were going forward with allegations of wiretap law, it's basically the internet users' rights that are being ignored. >> host: this is "the communicator" program, third week of cybersecurity issues, and we are talking with marc rotenberg of the electronic privacy information center, and gautham nagesh is our guest reporter. >> host: thanks, peter. you spoke about the electric grid, but we heard mentioned this will include financial services firms, internet service providers, that latter category in particular would probably raise some privacy concerns for consumers given that once dhs or the federal government has access to the data, it's not clear whether or not they can use it for other purposes. is that something to look at?

>> guest: i think the white house's instinct in the area is correct saying what they put in the report is the goal of ensuring that the information that they gather will only be used for purposes consistent with their cybersecurity mandate, and we agree with that, but we'd like to see that set out clearly in the legislation, and not to create a situation which oftentimes happens in government where they get the information for one purpose and say, well, we could also use the information because now we've the data for other purposes whether it's criminal investigation, maybe it's tax collection. i mean, who knows what it might be, and the other purposes might seem reasonable at the time, but you see when you open the gates in this way and enable this type of data flow from the private sector to the government, it's reality the interest of the -- really the interest of the individual user that i think need to be safeguarded, and the way you have to do that is through legislation. >> guest: so what legislation are we talking specifically? would you like to see warrants

necessary in terms of using data or can you explain -- >> guest: well, as a general manner, we think you do need judicial approval before you have private communications in the united states. that's really the core principle with the wiretap laws. there's exceptions, but you want to exemptions occur around the edges and special circumstances. you don't want the core presence pl of review before there's an interpretation taking place that says the government reteenly gets access from isps to see if there's anything they need to know about. that could easily happen over time. i think if some of the language in the legislative proposal is not tightened up a bit. >> host: mr. marc rotenberg, you endorsed or epic endorsed personal leahy's personal security act of 201 # 1. why are you in favor of this legislation? >> guest: well, i think what senator leahy is trying to do is

strengthen data breach notification. this is an interesting development in the privacy world. it's a requirement placed on companies to tell their customers when information about them has been wrongfully disclosed. it may not be as, you know, quite as satisfying as knowing their information is always protected, but what we've learned increasingly is when the user data is out there, there's new opportunities for financial fraud, identity theft, and the company takes a hit when this has to conceive that, you know, it didn't follow adequate security practices, so senator leahy through the privacy legislation is trying to strengthen the data breach notification requirements including some new penalties which i think would be very good, and another issue which he has addressed and others b object hill as well which is moving to the floor i'd say in the privacy world is the notion of data min myization recognizing it's difficult to protect information that's being

collected. i think the view in the expert community and the privacy community is that increasingly companies really need to think about is it a good idea to collect so much information about individuals. i mean, do you really need social security numbers on your customers if you don't have tax reporting requirements? do you need to keep financial information, and should the information that you're keeping, should that be routinely encrypted? those are also topics others have looked up. >> host: is senator leahy's legislation similar to others? >> guest: well, congresswoman mack's bill on the house side i think is a good starting point, but it doesn't go as far as congressman rush's bill from the last congress. one of the accomplishments of the last congress was to recognize also the significant role that the information broker industry plays in this particular area, and then the

need, i think, to establish some new privacy safeguards for that industry, what congresswoman felt was at this point she just wanted to focus on the security side without looking at the privacy issues. our view is that the privacy issues need to be considered at the same time. >> host: final question. >> guest: speaking of the data minimizing, we've seen the tension with private industries feel there needs to be little data kept as possible, whereas on the other hand, law enforcement, and we've seen in the house bill which under the purpose of cutting down -- >> guest: plushed on the bill. >> guest: yes, i was hat the hearing where you testified about that. can you speak to the tension, and the white house proposal appears to be sympathetic to law enforcement's need to be able to access information. why do you see the proposal coming down on that divide? >> guest: i don't know what the outcome will be, but studying the history of privacy

law in the united states i think that one of the accomplishments in one of our original privacy legislation was to say to law enforcement quite explicitly, you should really on the collect the information that's necessary and related to the criminal investigation that you're pursuing. it is actually the case that currently and wiretap law that there's min myization procedures and other legal obligations ensuring that information about innocent people is not gathered. that's the change, and i don't see a reason to make that change at this time. >> host: marc rotenberg, executive director of the electronic privacy information center. how is epic funding? >> guest: i've been struggling with issue for a long time. we don't take money from the private sec or or from the government, so we get contributions from individual donors, some litigation we pursue and some of the books we sell. we are a modest group, but an important issue, and certainly

it's an issue people are concerned about today. >> host: preachesly serving as counsel to senator patrick leahy, public chair to the former interest registry managing the dot-organize -- dot-org industry, and he's a chess champion. thank you for being on the communicator. we'll be right back with larry clinton of the internet security alliance. now on the screen is larry clinton, president and ceo of the internet security alliance. mr. clinton, start by finding out what the isa is. >> guest: it's a trade association created back in 2000, and it represents virtually every aspect of our nation's yit call infrastructure, aviation, banks, finance services, ect., and we are, our mission statement is to take advanced technology and blend it with public policy and

economics to great a sustainable system of cybersecurity, so we're a security organization representing our company's security interests. >> host: when you look at the cybersecurity proposals put out by the white house this summer, what's your reaction? do you support it? what concerns you? >> guest: well, there's a number of things in the white house's proposal with broad support like providing more cybersecurity education, developing a much better system within the government to manage their own cybersecurity, research and development on next generation items. i think where we feel that the administration has not met our expectations is when they deal with the private sector. the private sector owns, operates, and frankly creates the vast majority of what is the interpret, and we don't believe that without a robust and really engaged partnership between the

public sector and the private sector we're going to be able to achieve the same sustainable system that the security is interested in, and so we are disappointed with the entire section reality that dealt with developing a model for working between the president, the administration, and the private sector. >> host: why are you disappointed? what specifically disappoints? >> guest: well, i atented a conference a month or so ago at george mason university and one of the head staff of cybersecurity gave an address, and at the end of the address he was asked, so give us the future? what does this mean? he said that he believed that by 2012, we will have solved all the cybersecurity problems from 2005. i thought that was a pretty accurate and candid view of what the administration's proposal does. they are fighting the last war. the model that they are using

for dealing with the private sector is largely antiquated. it doesn't really recognize the movement that we have in terms of data moving largely out of the control of individual enterprises and now moving into the cloud. it doesn't really appreciate the advanced nature of some of the really serious threats that we are dealing with, things we call the apt -- the advanced persist tent threat. it's very sophisticated attacks, often nation-centered. it takes a punitive, sobbing approach to the private sector that we think really creates the wrong incentives. what we really need is a positive engagement with the partners opposed to a name and shame model. that will not provide the investments we need in order to

create the sustainable cybersecurity. >> host: the internet security alliance when the proposals first came out, "it would be much better if companies were proactively insented so they wanted 20 find cyberattackers. if you're subject to the name-and-shame penalties, i think that would be a mistake." what would be proactively insenting a company? >> guest: ironically, when president obama released the cyberspace policy review which was in may of 2009, he, in his own documents cited a number of these things. we're talking about using liability inacceptabilityives, -- incentives, talking about using procurement inventives. the president, at that time in 2009, suggested we needed to provide tax incentives. we think we can also use streamlined regulation. we can do more to bring the

insurance industry into the cybersecurity equation. what we need to do is get organizations to invest more in cybersecurity to go a step that is frankly beyond what is demanded by their corporate commercial interests and reach a security level that is the national interest, and those are different things. >> host: gautham nagesh, the hill newspaper. >> guest: thank you. now, you spoke about the private sector's reaction to the plan. the white house has taken great pains to cast this proposal not as a regulatory model, but as a collaboration with the private sector, but we have heard criticism like from melissa hathaway who said there's not enough private sector input. were you firms contacted? how much input did they have in the formulation of the plan? >> guest: unfortunately, we had virtually no direct involvement in the development

of the administration's current regulatory proposal, and by the way, the title is cybersecurity regulatory framework for the covering of the critical infrastructure. there's really no doubt that they have proposed here developing a fairly extensive regulatory structure, and, again, that that is precisely the opposite of what the president himself promised when he released the cyberspace policy review back in 2009 where he said that they were not going to adopt a regulated posture. the private sector from everything i know had no input into the development of this proposal. quite different frankly than the development of the cyberspace policy review or previously the infrastructure protection plan which were all created through a partnership model. in fact, the private sector went to great pains to put together a

very detailed newspaper of bringing together the users, the providers, the civil liberties community, a 33-page detailed paper built on the national infrastructure protection plan and the cyberspace policy review to tray to advance the ball moving forward, and we presented that to the administration, and we got a one hour meeting, and we asked to see their plan, you know, show us yours, we'll show you ours, and we never heard back from them. we didn't see the administration's proposal until they sent it to the congress. >> guest: while it gives dhs the authority to enforce security standards to be developed with industry, as you say, there are threatened penalties, they say not criminal sanctions necessarily, but as you said name-and-shame, publish the audits to insent vise companies. i take it that's not an enforcement mechanism that the

isa is get behind. >> guest: it's the ram sort of incentives. you need to understand what we're dealing with here with the modern attacks going back to a notion we're not dealing with 2005 cybersecurity. we're dealing with in many images the very sophisticated attacks. i looked for the threat. this is nsl level attacking. these guys are pros. okay. this is their day job. they are not kids in basement. they are very sophisticated, well-organized, very well-funded. they are probably state supported. for a corporation to be going up against essentially a nation state attempting to attack them is similar to dick clark's analogy, similar to the pentagon going on to u.s. steel in world war ii saying they may attack

the plant, you should buy weaponry and spider planes. it's the wrong model. these modern attacks are designed to be stealth yi. in the old days, now they go in there and hide. the idea is you don't know that you have been attacked, sco what the administration's proposal does is provide an incentive not to look. we need to provide incentives for corporations to be re-doubling their efforts, find the very, very sophisticated attacks, and if corporations feel that if they find the attack they will be put up on a website and get a bunch of negative publicity, stock prices going down, not only don't they have an incentive to look for the successful attacks, but we provided an incentive for foreign entities to attack these entities hoping they get discovered and the stock prices go down. they are the wrong incentives.

this is a punitive model where we try to blame the victims of the attack. we need a constructive model where the government tries to finds things they can do to encourage and incest american companies to provide the right incentives so we are enhancing the cybersecurity systems, not blaming people in china for attacking them. >> host: larry clinton, don't consumers have the right to know if their personal information from the sony or whatever has been attacked? don't they have a right to know that information has been exploited? >> guest: that's two different things here. with respect to sort of consumer breach notification laws, we do support those, certainly, and, in fact, that would be an element of the administration's proposal where we have common cause with them. they proposed that we have a national breach notification law, so, you know, on the personal side that mark talked about before, we would be in

agreement, but i'm not talking about social security numbers. i'm talking about the really serious problems that we have, the theft of national secrets, corporate intellectual property, the potential for serious destruction of our nation's critical infrastructure. those are the sorts of attacks that i think we need to go in and root out. even if we're going to just confine ourselves to the consumer interests, again, what we should be doing is providing the incentives for companies to find these things, not for them to turn a blind eye to them, and that's what's it's going to be in a pragmatic world if you doing an investigation of your system and then your stock prices go down. ifst hard to get boards of directors to fund those things, and we want them to find those things. >> guest: speaking to cybersecurity experts who tell you almost everything of importce