From: The Washington Post/The Switch
By Brian Fung
While the National Security Agency has been working to gather data about Americans’ communications, other branches of government have been working to develop new rules to promote online privacy and security.
Among them is the National Institute of Standards and Technology. With the private sector’s input, NIST has been putting together an obscure but important proposal to improve the nation’s resilience against malicious hackers.
Buried in the back of it is a series of recommendations that, if approved, might pave the way for stronger government oversight of businesses when it comes to their use of personal information.
They include suggestions such as figuring out what exactly a company knows about its employees and its customers; whether its handling of the information poses a security risk; and how to treat personal data in the event of an online attack.
These ideas are based on a common set of privacy principles that don’t have the force of law. But according to Stewart Baker, the NSA’s one-time top lawyer and former Bush administration official, the NIST guidelines could eventually turn into more enforceable regulations:
That’s because of how the cybersecurity executive order treats NIST’s work product. Once NIST has finished the framework, next January, the administration plans to use a wide range of incentives to get industry to adopt the framework. But the document’s effect will be felt as soon as a preliminary draft is issued in October. The executive order instructs every regulatory agency in the federal government to to review the preliminary NIST framework and report to the President on whether the agency has authority to impose NIST’s framework on the industries it regulates. If an agency lacks authority, it will almost certainly be invited to go ask for it. This means that the privacy appendix, which made its first appearance in public in the dead of August, will have a potentially irreversible effect as early as October 10, when NIST is due to issue the preliminary framework.
Baker argues that due to this possibility, the privacy guidelines have no place in NIST’s proposed framework. Perhaps it might be better for Congress to write its own privacy protections into a comprehensive piece of IT security legislation. But for more than a year, Congress has failed to agree on a bill, with privacy usually being the key sticking point. Civil libertarians hated CISPA, the House’s proposed law, because they feared that it was overly intrusive. (The White House agreed, twice threatening a veto.) The Senate, meanwhile, has yet to unveil its version of a bill. We’re as far from a law today as ever.
Leave a Reply