Bernie Sanders on Cybersecurity
The threat of cyberattacks, both domestic and abroad, pose a serious risk to the United States. Cyberattacks have already cost the U.S. government significantly, and American businesses suffer billions more in losses every year. Cyberattacks may also be “the greatest threat to U.S. national security,” as America’s “critical infrastructure” is vulnerable to attack. Even the NSA was hacked and the tools they used to attack computer were stolen, sold and are now being used to attack U.S. critical infrastructure.
While the importance of cybersecurity is clear, tough comprehensive legislation has yet to be enacted. Bernie believes in balancing the need for cybersecurity with protecting the rights and data of American citizens.
Threats to the Nation: Cyberattacks pose a serious risk, domestic and abroad. These attacks cost money, and must be addressed.
Legislative Issues: Some cybersecurity legislation has been passed. More must be done.
Privacy or Security?: Cybersecurity is important. While working to improve network security, the government must respect the constitutional rights of Americans.
Threats to the Nation
Cyberattacks pose a real danger to the U.S. A recent cyberattack may have affected over 22 million Americans, and reminds us how vulnerable our government really is to cyberattacks.
The U.S. conducted the “Stuxnet” cyberattack on Iran’s nuclear facilities in 2010. If they are vulnerable, so are we. In fact, the U.S. may be even more vulnerable than other countries because 85 percent of our critical infrastructure is privately owned. An attack on privately owned utilities or the power grid could cripple the county. Even weapons systems are vulnerable and the GAO issued a frightening report in 2018 detailing how the government is not doing enough to protect them.
What is critical infrastructure?
Everything connected to the internet is vulnerable to cyber attack.
Presidential Policy Directive 21 has identified 16 critical infrastructure sectors that would have a debilitating effect on security, the economy, public health or safety if they are destroyed or disrupted. Essentially this is everything.
- Chemical: sites that manufacture, store, use, or transport basic chemicals, specialty chemicals, agricultural chemicals, pharmaceuticals and consumer products
- Commercial Facilities: sites with large crowds for shopping, entertainment, or lodging
- Communications: satellite, wireless and wireline providers, and the internet
- Critical Manufacturing Sector: production of primary metals, machinery, electrical equipment, appliances and components, and transportation equipment
- Dams: dams, navigation locks, levees, hurricane barriers, mine tailings impoundments, hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management and recreation
- Defense Industrial Base: R&D, as well as the design, production, delivery and maintenance of military weapons systems, subsystems, components or parts
- Emergency Services: fire and rescue, emergency medical, emergency management
- Energy: electricity, oil and natural gas
- Financial Services: depository institutions, providers of investment products, insurance companies, other credit and financing organizations
- Food and Agriculture: 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing and storage facilities
- Government Facilities: office buildings, military installations, embassies, courthouses, national laboratories and structures with critical equipment, systems and networks
- Healthcare and Public Health: protecting all sectors from terrorism, infectious disease outbreaks and natural disasters
- Information Technology: hardware, software, IT systems and services, and the Internet
- Nuclear Reactors, Materials, and Waste: nuclear facilities, materials and waste
- Transportation Systems: moving people and goods – aviation, highways, maritime, mass transit, passenger rail, pipelines, freight rail and postal and shipping
- Water and Wastewater Systems: drinking water and wastewater treatment
How much of a threat is there? Are there that many cyber attacks?
While the recent loss of U.S. federal employee data was one of the largest government data breaches in history, it is by no means the only case. Since 2006, the United States has seen a steady increase in the number of cyberattack incidents against U.S. government agencies and corporations. Due to increasing cyberattacks in recent years, President Obama published new guidance on cyberattacks, allowing the administration to diplomatically punish governments that allow hacking of U.S. networks. Governments suspected of hacks include North Korea, Russia and China.
What kind of attacks are we talking about?
Hacking (unauthorized access), denial-of-service attacks (DDos), using malware (phishing ransomware, viruses), identity theft, identity fraud, insider threats from witting or unwitting employees, and electronic theft.
What needs to be done to protect critical infrastructure?
According to the U.S. Government Accountability Office the risks are increasing and government plans to protect from threats have not been fully implemented. For the plans to work it is vital that the public and private sectors work together.
It’s complicated. The Department of Homeland Security (DHS) has a cybersecurity strategy and the Department of Defense (DoD) has a separate cybersecurity strategy, which is part of the National Defense Strategy. Because the DoD uses so many military contractors all of those systems must also be protected. It is necessary for businesses and the government to cooperate in a unified effort. However, there are privacy and civil liberty concerns that cannot be ignored in a functioning democracy.
How much do cyber attacks cost?
The graphic below answers a lot of questions about cost.
What is Bernie doing to fight cyberattacks?
Bernie has expressed concern over the vulnerability of U.S. cybersecurity, but also over mass surveillance. Bernie voted for the Cybersecurity Act of 2012 only to have Republicans defeat it due to concerns about over-regulation. Bernie would support discussing the Protecting Cyber Networks Act; however, this bill has major privacy concerns and has been subject to political games instead of discussion.
What does Bernie say about the cybersecurity threat?
“Our nation’s national security and economy face unprecedented threats from cyber-attacks, and it is important that we defend ourselves as best we can while, at the same time, protecting the privacy and civil liberties of the American people.” — Bernie
Bernie seems concerned with not only security but privacy as well. Should we really worry about government surveillance and privacy?
Most Americans agree that “it is unacceptable for the government to monitor the communications of U.S. citizens.” In addition, Bernie is concerned about the Constitutionality of programs that access the information of American citizens.
The United States needs to pass legislation to improve the overall cybersecurity of the nation. But privacy and civil rights must be respected.
What cybersecurity laws have already been passed?
Some information is already protected. Laws require healthcare organizations, financial institutions, and federal agencies to protect their systems and information. Other recent cybersecurity laws give immunity to companies so they have no legal liability for sharing user information with the government.
Here are some cybersecurity laws:
- Health Insurance Portability and Accountability Act (HIPAA) (1996) requires health providers to protect health information and not disclose it without a patient’s permission.
- Gramm-Leach-Bliley Act (1999) requires financial institutions to protect financial records and information.
- Homeland Security Act of 2002 requires the government to protect the information it has.
- Federal Information Security Modernization Act of 2014 requires government networks and information held by the government to be protected from cyber intrusion.
- National Cybersecurity Protection Advancement Act of 2015 protects businesses from liability for sharing information about individuals with the government.
- The Cybersecurity Enhancement Act of 2014 regulates voluntary public-private partnership with the government to share user information to address cybersecurity.
- Cybersecurity Information Sharing Act (CISA) of 2015 requires Internet Service Providers (ISPs) and software companies to protect their systems. And requires sharing of information about cybersecurity threats and Internet traffic information between the U.S. government ISPs.
- Electronic Communications Privacy Act (ECPA) passed in 1986 allows the U.S. government to use GPS to track cellphones and to access digital communications such as email, social media messages, information on public cloud databases without a warrant if the items in question are 180 days old or older. Google reported that the government made 60,000 requests for information in 2018.
Where does Bernie stand with cybersecurity legislation?
Bernie voted “Yea” on the Cybersecurity Act of 2012 to secure the country’s networks long before the most recent cyberattacks against the United States. He made it clear that vulnerabilities in the cyber realm pose a national security threat and that new legislation ought to be passed. Nonetheless, a filibuster by Republicans in the Senate prevented the legislation from being passed. Bernie noted at the time that, “it is important that we defend ourselves as best we can” against this threat.
Bernie voted no on the National Defense Authorization Act (NDAA) in 2016 for various defense spending reasons, but also because the Protecting Cyber Networks Act was in the bill. There are concerns about its potential impact on the privacy of Americans.
What other cybersecurity laws are there?
The Computer Fraud and Abuse Act (CFAA) is a cybersecurity bill used to prosecute hackers that was enacted in 1984 and expanded under the 2001 USA PATRIOT Act and amendments to it. This law along with the Espionage Act of 1917, is being used to prosecute Julian Assange and led to the death of Aaron Swartz and the subsequent introduction of Aaron’s Law.
Bernie voted against the Patriot Act of 2001 and every amendment that would extend or expand it.
Cyber Intelligence Sharing and Protection Act (CISPA) was originally introduced in 2011, and has been reintroduced two more times. It would allow businesses to share information with the federal government with limited oversight and privacy safeguards. Essentially, it expands the NSA’s reach without formally granting the NSA more authority to conduct surveillance on Americans. The way it’s written poses an ambiguous threat to privacy.
Bernie actively opposed the 2013 CISPA bill, as did the public. After CISPA was repeatedly defeated due to massive public outcries, a nearly identical bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was introduced and quickly passed before public opposition to it could build. Bernie strongly opposed the bill and voted against it.
This video explains CISA:
Privacy or Security?
“Our civil liberties and right to privacy shouldn’t be the price we pay for security.” – Bernie, October 22, 2015 when voting against CISA
Privacy is too important to the American people to not take into consideration.
With knowledge of mass surveillance taking place, Bernie and others have expressed concern over the power given to the government in regards to our privacy.
What has Bernie said in regard to cybersecurity legislation and privacy?
When the Cybersecurity Act of 2012 was being considered Bernie said, “I worked hard with a number of colleagues to make sure that language in the bill would protect the Constitutional rights of the American people.”
While discussing that legislation, Bernie said the bill must defend our country while simultaneously “protecting the privacy and civil liberties of the American people.”
Is Bernie alone when it comes to this?
No, not at all. In a recent letter to members of the House and Senate, engineers and security industry professionals agree that the government’s focus on collecting Americans’ personal information only undermines our nation’s cybersecurity. Regarding the Protecting Cyber Networks Act, the letter stated, “waiving privacy rights will not make security sharing better” and that “sharing users’ private information creates new security risk.” The Electronic Frontier Foundation is concerned about inadequate privacy protections and legal immunity for companies that share information about users.
Do citizens agree with Bernie on cybersecurity and privacy?
The Washington Post found that the majority of adults believe the NSA intrudes when conducting surveillance on American telephone records and internet traffic. Both Democrats and Republicans overwhelmingly find this as a violation of their rights.
See more on mass surveillance on the Privacy and Digital Rights Page.