Could your browsing history end up in the government's hands?

last updated 11 January 2015

President Obama is expected to sign an executive order that would require private companies that operate critical infrastructure to get their cyber defenses in order. Congress has tried, and failed, to pass legislation aimed at voluntarily creating a system of national standards, and all manner of cyber exploitation and attacks keep coming. Though virtually every actor in the debate believes that some sort of legislation is necessary, corporate America is split in two about how much risk they ought to be required to assume. Within most companies, IT teams push for more elaborate defenses and for disclosure of problems; general counsels counsel silence, and customer service executives complain about cyber architecture that is too costly and would put them at a competitive disadvantage.

The news reports about these executive orders suggest that the system will be "voluntary," but in effect, it won't be. The government can easily require that any company that wishes to do any business with it must comply with the new regime. No pay, no play. By identifying and defining just what counts as "critical" infrastructure is also a way to compel participation.

One complex question that may be answered is how much data a company is required to give the government if it detects a cyber threat, and how much information the government can share with a company if IT detects a cyber threat. The National Security Agency tends to the really big nodes that handle critical infrastructure, and it likes to over classify just about everything. But companies, reasonably, want instantly updated information about the threat environment. Even though most big companies that handle Very Big tasks for country's infrastructure do some sort of classified work for the government and thus have employees who are cleared to see the information, there is no way to distribute it.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

What happens if a company that handles Internet infrastructure detects within your own browsing history the signature of a major virus or an attack? Almost certainly, it will be required to act on the information in a way that includes the transmission of your data to the government. Whether it can and will be anonymized is an open question. How long the government can retain it is also an open question. (There is a whole set of other rules for criminal and intelligence matters).

Explore More

Marc Ambinder is TheWeek.com's editor-at-large. He is the author, with D.B. Grady, of The Command and Deep State: Inside the Government Secrecy Industry. Marc is also a contributing editor for The Atlantic and GQ. Formerly, he served as White House correspondent for National Journal, chief political consultant for CBS News, and politics editor at The Atlantic. Marc is a 2001 graduate of Harvard. He is married to Michael Park, a corporate strategy consultant, and lives in Los Angeles.

Subscribe to The Week

Sign up for The Week's Free Newsletters

Sign up for Today's Best Articles in your inbox