duncan on newsmaker sunday at 10:00 a.m. and 6:00 p.m. on c-span. it is also available online at c-span.org. >> this week on "the communicators", two critics of president obama is proposals reducing cyber threats to the u.s. marc rotenberg of the electronic privacy information center. and larry clinton of the internet security alilance. this is part three of a month- long series on cyber security. "the: this is week 3 of u communicators" series. this week, we talk with interest groups. first up, marc rotenberg of the electronic privacy information center. he's the executive director. we want to talk to him about some of the privacy concerns from the white house cyber security proposals. when you look at what the white house has released over the past few months, where do your concerns lie?

guest: a lot of what the white house has done is very good. it is a complicated topic. there are a lot of different agencies that need to be consulted and i think the white house has done a good job of coordinating across several agencies. the key issue for many americans is how to ensure security in cyberspace. there are some privacy and civil liberties issues. the white house is climbing new authority for the government to collect information on how people use the internet. as well as new authority to intercept private communications. and we understand why they may want to do that, but we think when these types of activities are looked at closely, the need for a clear legal standard really becomes apparent. and i would begin by saying that i would think one of the key privacy concerns is that when the government takes these powers, they have to be clear legal reasons and clear

accountability and oversight. host: in response to what the white house released, you said there should be legal standards and not voluntary guidelines character gue. guest: what the white house is trying to do is to recognize these are important issues. at the same time, they seem to be reluctant to take the type of meaningful steps we would like them to take. so, for example, you could update the federal wiretap law. has been 25 years since there have been some of the can amendment. people are using communication technology in new ways. the white house could say in conjunction with cyber security efforts, we want to update that law to provide the same kind of protection. we established 25 years ago. you probably need new types of oversight. you should collect information in new ways.

those types of concrete proposals on privacy and civil liberties side are still the same -- are still missing. host: you talked about some of the new authority that the white house calls for. can you give me an example? guest: but the department of homeland security is pursuing a new security technique which they call first intrusion detection -- detection, and then interest and prevention. the name for the project is einstein iii. maybe we will see in einstein iv soon. they are trying to identify activity on the internet that lets militias. they want to have better tools to identify and prevent it. the technique gives the government new ways to capture information on line. how else might that technique be used? er,ore we go to the reportoer

we've recently seen how governments can use these authorities in ways that cause us concern. this is not just about china and the fire wall that blocks access to internet web sites, or even egypt where they suspended access to the internet for a period of time, now we have the prime minister of great britain talking about limiting access to social network services, and in the u.s., the transit authority in san francisco was able to turn of cell phone towers because they were concerned about political protests. we need to recognize this to the victims of some of these recent developments when we are talking about this particular policy which is abstracted some of your viewers. host: we have the technology reporter with "the hill" newspaper. guest: you touched on the ability of the government to shut down portions of the internet. it is a hot topic, given the protests in the middle east and the violence in london.

this plan does not specifically seem to address whether or not the president can intercede. however, the white house has consistently maintained that the president does have the authority to take action in private networks under a very -- 1941, i believe -- provision of the communications act. do you have a reaction to that? guest: this is the kind of policy debate that people in washington law. the heading is the internet kill switch. the big concern that people have when they first looked at some of the concerns. one of the legislative proposals was that somehow the president would go in the basement in the white house and flipped the big switch to off and the internet would stop working. realistically, that cannot happen. the internet is not designed in centralize the control. it was interesting when it

happened in egypt last year, it was because there were four sx access points. what your question goes to is what types of authorities with the president have in a genuine cyber warfare scenario? in that sense, this mirrors some of the other debates taking place right now about, when does the president need to go to congress? what can he do on his own authority? the white house does need to think about those issues. we found ourselves in the cyber war scenario, the president would have to make some decisions, particularly if the internet was part of the battlefield. guest: i think a lot of people at home are wondering, if we were to see events a similar to what we're seeing in london or even at the san francisco transit authority, is that something under this cyber security proposal that could take place? could the federal government shut down portions of the social

media site if they felt it was being used to stop violence? guest: it would be difficult to do, but we have recent experience in the u.s. that is a bit of a warning. that is surrounding wikileaks. when the u.s. government began to express concerns about their activity, and you had secretary of state clinton and senator lieberman talking about the problem. there were talking about companies that were providing cloud-based services to wikileaks. we began to explore the question was the u.s. government putting pressure on u.s. firms to back off support for an organization they believe was controversial. i do not think it would be quite so dramatic of cutting off access to the internet, but

there are other ways to accomplish similar goals. guest: in your view, does this proposal seem consistent with the administration's previous actions with regard to collecting data online and off? there are privacy advocates that criticize this administration is pushing to increase law enforcement's ability to access consumer individual data. guest: i think the proposal does not go as far as it should go to protect privacy. i think that is probably the view that is generally held across the privacy and consumer that theunity, white house could do more to promote specific regulation. they talk a lot about self regulation which is another way of saying that they hoped the problem will solve itself. i do not think that most people that experienced identity theft feel that the problem is solving itself.

we would like to see them do more. to the extent it has been consistent in not setting out a legislative agenda, that is not so good for us. the: when you read to white house proposals on cyber security and use the the references to public-private partnerships, does that concern you? guest: here with the white house is trying to do is managed the relationship with the private sector. so, the private sector has said they do not want a legislative mandate. they do not want the government to take over some of the critical infrastructure they are responsible for. the white house in the department of homeland security is concerned that if some of those networks, the remotely operated electronic grids or water or gas supply, much of this is tied into the internet. begin to think about scenarios where does become of

vulnerabilities. the white house has some responsibility to safeguard those critical functions. so what we have tried to do with the private sector is say, we want to work with you. we need you to provide us information. we will provide you with information, but from the user perspective that creates some risk. because now you may have data about user activity moving back and forth between private companies and the government without any kind of real independent oversight. in that relationship, we have said there has to be consideration of the user, of the consumer. host: does the white house ever security address penalties? guest: they do. in a way we do not support. part of the agreement to get the information from the private sector over to dhs is to immunize the private sector companies that are disclosing information about their users from any liability. if you are a user or a company,

and that is not the subject of criminal investigation, you might wonder why your data ended up at the department of homeland security. the only way you would have to us that some change in that practice would be to bring a lawsuit. so the white house immunizes those companies, which is similar to what president bush did around the patriot act amendments, when the lawsuits are going for charging violations of the wiretap law. it is the internet users rights that are being ignored. host: this is "the communicators". we are in the third week of a series on cyber security issues. this week, we are talking with marc rotenberg of the electronic privacy information center. but speaking of critical infrastructure, he spoke about the electric grid, but we heard mentioned that this would include financial

services, internet service providers, that latter category would raise some privacy concerns for consumers, given that once dhs has access to data, it is not clear whether or not they would it be able to use it for other purposes. guest: i think the white house's instinct in this area is correct, which is to say that what they put in the report is the goal of ensuring that the information that they gather will only be used for purposes consistent with their cyber security mandate. we agree with that. but we would like to see that set up clearly in the legislation and not create a situation where they get the information for one purpose and they say, we could use the information because we have all of this data for some other purposes. maybe it is criminal investigation, tax collection, who knows? and those other purposes might seem reasonable at the time. but when you open the gates in

this way enable this kind of data flow from the private sector to the government, it is really the interests of the individual user that i think needs to be safeguarded. and the way you can do that is through legislation. guest: so what kind of legislation are we talking about? would you like to see warrants in terms of using data? guest: we think that you do need additional approval before you intercept private communications. that is the core principle on the federal wire tap law. you have exceptions, but you want us to occur around the edges. you do not what the core principle of judicial review before there is an intercept taking place to be replaced by a new core principle that says that the government routinely gets access to user data from isp's. that could easily happen over time. i think if some of the

language in the proposal is not tied up a bit. host: you have endorsed senator ofhy's the security act 2011. why are you in favor? guest: i think what he is trying to do is strengthen data breeze notification. this is an interesting development. basically, it is the requirement that is put on companies to tell their customers with information about them has been unlawfully disclosed. it may not be quite as satisfying as knowing that your information is always protected, but what we have learned is that when the user data gets out there, there are new opportunities for financial fraud and identity theft. the company is taking a bit of a hit when it has to can see that it did not follow adequate security practices. so senator leahy is trying to strengthen the data breach notification requirements,

including some new penalties, which i think are very good. another issue which he addressed and others on the hill as well, which is moving to the fore, is the notion of data minimization, recognizing it is difficult to protect information being collected. the view in the privacy community is that increasing the company's need to think about, is it such a good idea to collect such information about individuals? do you really need as the security number on your customer if you do not have tax reporting it? do you need to keep financial information? should the information you are keeping, should that be routinely interrupted? those are topics they've looked at. similar tos it mack's woman'

proposal. guest: it is similar, but i do not think it goes as far as congressman rush's bill in the last congress. recognize the significant role that the information broker industry plays in this particular area. indeed i think to establish some new privacy safeguards offor that industry. what the congresswoman felt was that she wanted to focus on the security side without looking at the privacy issues. we believe that the privacy issues need to be considered at the same time. guest: speaking to demonization, we have seen that tension between privacy experts and many industries feel there needs to be as little data kept as possible. and the other hand, law enforcement. we have seen the bill, which under the purpose of cutting down -- yes. i was at the hearing were you

testify. can you speak to that tension? the white house proposal appears to be more sympathetic to law enforcement need to access information. guest: i don't know the outcome. i do know having studied the history that one of the accomplishments in our original privacy legislation was to say to law-enforcement explicitly, and you really should only collect the information that is necessary and related to the criminal investigation you are pursuing. so it is the case that currently in federal wiretap law, there are minimization procedures and other obligations that ensure that information about innocent people is not gathered. that is the change. i do not see a reason to make that change at this time. host: marc rotenberg is the executive director of the electronic privacy information center. how is it funded?

guest: we do not take money from the private sector or from the government. we get contributions from individual donors, from litigation we pursue, and some of the books we sell. we are modest group, but we think it is an important issue. it is an issue a lot of people are concerned about. host: previously you served as counsel to senator patrick leahy. and most interestingly, he is a three-time chess champion for washington, d.c. we appreciate your being on "the communicators". quote will be right back with larry clinton -- we will be right back with larry clinton of internet security alilance. mr. clinton, if we could start by finding out what the isa is. trade association created back in 2000. represents virtually every

aspect of our nation's critical infrastructure -- aviation, banking, communications, defense, financial services. and our mission statement is to take advanced technology and blend it with public policy and economics to create a sustainable system of cyber security. so we are a security organization, and represent our company's security interests. host: when you look at the cyber security proposals put up by the white house this summer, what is your reaction? the support it? what concerns you? guest: there are a number of things and the proposal that have broad support. things such as providing more cyber security education, developing a much better system with in the government to manage their own cyber security research and development on next-generation items. i think where we feel the administration has not met our

expectations is when the deal with the private sector. the private sector owns, operates, and creates the vast majority of what is the internet. and we do not believe that, without a robust and really engage partnership between the public sector and the private sector, we are going to be able to achieve a sustainable system that our alliance is interested in. we are disappointed with the entire section that dealt with developing a model for working between the president's, the administration and the private sector. host: why are you disappointed? what specifically? guest: i attended a conference out of george mason university among other so ago. one of the had white house staff was giving the keynote address . at the end of the address, he was asked, so give us the future. what would this mean? and he said that he believed

that by 2012, we will have solved all of the cyber security problems from 2005. and i thought that was a pretty accurate and candid view of what the administration's proposal does. they are fighting the last war. and the model that they are using for dealing with the private sector is largely antiquated. it does not really recognized the move meant that we have in terms of data moving out of the control of individual enterprises and moving to the cloud. it does not appreciate the advanced nature of some of the serious threats we are dealing with, the apt , the advanced persistent threat. often, nation-centered. instead it takes a punitive approach to the private sector that we think it really creates

the wrong incentives. what we really need is a positive engagement with our government partners as opposed to a punitive, name and shame that model. that is not going to provide the sorts of investment we need to create a sustainable system of cyber security. host: in fact a quote from the internet security alliance with the proposal cannot, "it would be much better if companies were practically incentive so that if they wanted to find cyber attackers. if you're subject to some of these name and shame penalties, i think that would be a mistake." what would be proactively and scenting a company? guest: when president obama release to cyberspace policy review in march, in may, 2009, he in his own documents cited a number of these things. we are talking about using liability incentives. we are talking about using

procurement consensus. this was 2009. it suggested that we needed to provide tax incentives. we think that we could also use streamlined regulation. we can do a lot more to bring the insurance but industry into the cyber security equation. what we need to do is get organizations to invest more in cyber security to go a step that is frankly beyond what is demanded by their corporate, commercial interests and reached a security level this is the national interest. those are different things. host: our guest at "the hill" newspaper. guest: the white house has taken great pains to cast this proposal not as a regulatory model, but as a collaboration with the private sector. we have heard criticism from melissa hathaway that there was

not enough private sector input. how does the isa, were your firms contacted? how much and what did they have in the formulation of this plant? guest: we had virtually no direct involvement in the development of the administration's current regulatory proposal. by the way, the title is "cyber security regulatory framework." and there is no doubt that they have proposed here developing a fairly extensive regulatory structure. that is precisely the opposite of what the president himself promised when he released the cyberspace policy review back in 2009, where he said they were not going to adopt a regulated posture. the private sector, from everything i know, had no input into the development of this proposal.

quite different than the proposal of the cyberspace policy review previously or the national infrastructure protection plan, which were created through a partnership model. in fact, the private sector went to great pains to put together a very detailed white paper, bringing together the users, the providers, said the liberties community, a 33-page detailed paper -- with the civil liberties community -- to advance the ball. we presented that to the administration and we had a one- hour meeting. we asked to see their plan. we never heard back from them. we did not see the administration's proposal until it was sent to congress. guest: the proposal gives dhs to enforce whatever security standards that will be developed in consultation with industry.

as you say, they are threatening penalties, not criminal sanctions or civil liability, name in shame. there will publish the results of a security audit to incentivize companies. i take it that is not a mechanism that the isa can get behind. guest: it's the wrong sorts of incentives. you need to understand what we are dealing with, with the modern attacks, going back to the notion that we are not dealing with 2005 cyber security. we are dealing with these very sophisticated attacks. i mentioned before the advance persistent threat. these guys are pros. this is their day job. they are not kids. these guys are very sophisticated, very well funded. they are probably state- supported . so for a corporation to be going

up against a nation state that is attempting to attack them, it is similar to dick clark's analogy, similar to the pentagon going to the u.s. steel during world war ii and saying that we might think that the germans will attack in pennsylvania. it's entirely the wrong model. these modern attacks are designed to be stealthy. in the old days, attackers publicized their attacks. now they hide. you do not know you have been attacked. what the administration's proposal does is provide an incentive not to look. we need to provide incentives for corporations to redouble their efforts to find these very sophisticated attacks. if corporations feel they, if they find the attack they are going to be put up on a website and get a bunch of negatvie

publicity, not only did they not have an incentive to look for these successful attacks, but we provided an incentive for foreign entities to attack these entities, hoping they get discovered in their stock prices go down. these are the wrong incentives. this is a punitive model, where we try to blame the victims of the attacks. what we need is a constructive model, where the government tries to find things it can do to encourage and assist american companies to provide the right incentives so that we are enhancing our cyber security systems not blaming people when china is successful attacking them. host: don't consumers have the right to know if their personal information has been attacked? don't they have the right to know that that information has been exploited? guest: we are talking about two different things. with respect to consumer breach

notification laws, we support those. that would be an element of the administration's proposal where we have common cause. they proposed a national bridge notification law. on the personal side, we would probably be in agreement. but i am not talking about the loss of social security numbers. i am talking about the serious problems we have -- the theft of national secrets, corporate intellectual property, the potential for serious destruction of our nation's critical infrastructure. those are the sorts of the tax that i think we need to go in and root out. even if we are going to confine ourselves to the consumer interests, aginain, what we should be doing is providing incentives for companies to go find these things, not for them to turn a blind eye oto them. that