President Obama’s New Cybersecurity Proposal Is Already Facing Skepticism

The information-sharing proposal to be announced Tuesday comes in the wake of last year’s Sony hack—but already has privacy advocates sounding alarms.

National Journal
Add to Briefcase
Dustin Volz
Jan. 13, 2015, 5:58 a.m.

Hop­ing to cap­it­al­ize on the re­cent Sony breach, Pres­id­ent Obama on Tues­day un­veiled pro­posed le­gis­la­tion that would cre­ate a friend­li­er en­vir­on­ment for com­pan­ies and gov­ern­ment to share in­form­a­tion about po­ten­tial cy­ber­threats and se­cur­ity vul­ner­ab­il­it­ies.

The pro­pos­al, of­fi­cially an­nounced today by Obama in a speech at the Na­tion­al Cy­ber­se­cur­ity and Com­mu­nic­a­tions In­teg­ra­tion Cen­ter, hopes to ca­jole the private sec­tor in­to par­ti­cip­at­ing in in­form­a­tion-shar­ing by of­fer­ing them li­ab­il­ity pro­tec­tion. The plan seeks to as­suage pri­vacy con­cerns by re­quir­ing par­ti­cip­at­ing com­pan­ies to com­ply with a set of re­stric­tions, such as re­mov­ing “un­ne­ces­sary per­son­al in­form­a­tion,” though a White House fact sheet did not spe­cify what those re­stric­tions would en­tail.

But the pack­age is already fa­cing head­winds from pri­vacy ad­voc­ates, who for years have cau­tioned that in­form­a­tion-shar­ing le­gis­la­tion could bol­ster the gov­ern­ment’s sur­veil­lance powers. Sev­er­al groups have in­sisted that no in­form­a­tion-shar­ing bill should be con­sidered be­fore sub­stan­tial Na­tion­al Se­cur­ity Agency re­form.

“The Sony hacks demon­strates a fail­ure of cor­por­ate di­git­al se­cur­ity, and not a need for great­er gov­ern­ment in­form­a­tion-shar­ing,” said Amie Stepan­ovich, seni­or policy coun­sel with Ac­cess, a di­git­al-free­dom group. “The ad­min­is­tra­tion’s at­tempt to use Sony to jus­ti­fy in­creased trans­fer of in­form­a­tion to the gov­ern­ment is dif­fi­cult to un­der­stand, par­tic­u­larly in the ab­sence of sub­stant­ive NSA re­form, a sub­ject the ad­min­is­tra­tion has yet to com­ment on in the new year.”

Stepan­ovich said the White House pro­pos­al ap­peared to be more con­cerned with pri­vacy than a con­tro­ver­sial cy­ber­se­cur­ity bill that was re­in­tro­duced last week by Rep. Dutch Rup­pers­ber­ger, a Mary­land Demo­crat, but that “the dev­il is in the de­tails.” The White House has his­tor­ic­ally not been sup­port­ive of that le­gis­la­tion, known as the Cy­ber In­tel­li­gence Shar­ing and Pro­tec­tion Act.

Obama’s pro­pos­al comes amid a week of an­nounce­ments from the ad­min­is­tra­tion deal­ing with data se­cur­ity—and more troub­ling head­lines. On Monday, the pres­id­ent an­nounced a plan to com­bat iden­tity theft and im­prove stu­dent pri­vacy, a speech that was quickly fol­lowed by the sim­ul­tan­eous hack of U.S. Cent­ral Com­mand’s Twit­ter and You­Tube ac­counts by Is­lam­ic State sym­path­izers.

Both Re­pub­lic­ans and Demo­crats on Cap­it­ol Hill have iden­ti­fied cy­ber­se­cur­ity as a high pri­or­ity in the new Con­gress, and the de­sire to pass le­gis­la­tion has only in­creased after a de­bil­it­at­ing hack on Sony Pic­tures, an in­tru­sion the ad­min­is­tra­tion has pub­licly blamed on North Korea.

Con­gress has re­peatedly come up short on passing sub­stan­tial cy­ber­se­cur­ity pack­ages, in part be­cause of con­cerns from pri­vacy groups. Both the Sen­ate and the House held a ca­rou­sel of hear­ings last year fol­low­ing the massive Tar­get data breach that hit dur­ing the 2013 hol­i­day shop­ping sea­son, but ne­go­ti­ations failed to gain much trac­tion, des­pite a steady trickle of breaches at Home De­pot, JP Mor­gan, and Nei­man Mar­cus.

But ad­min­is­tra­tion of­fi­cials and ad­voc­ates of tough­er cy­ber­se­cur­ity laws see reas­on for hope this year, as mem­bers of both parties have sug­ges­ted that the Sony hack is a game-changer and a re­mind­er that there is room for bi­par­tis­an com­prom­ise. Obama’s plan ap­pears to of­fer nar­row­er, more tar­geted li­ab­il­ity pro­tec­tion than a sim­il­ar pro­pos­al offered in 2011, a move in­ten­ded to make in­form­a­tion-shar­ing more pal­at­able to com­pan­ies and pri­vacy ad­voc­ates.

The li­ab­il­ity cov­er­age would in­clude so-called cy­ber­threat in­dic­at­ors, such as IP ad­dresses and rout­ing in­form­a­tion, but not ac­tu­al con­tent, ac­cord­ing to a seni­or ad­min­is­tra­tion of­fi­cial. Still, a fact sheet say­ing the bill would re­quire the Home­land Se­cur­ity De­part­ment to share in­form­a­tion “in as near real time as pos­sible” with oth­er agen­cies is likely to raise con­cerns with pri­vacy groups, as that would in­clude the NSA, the FBI, and the Pentagon.

The pro­posed le­gis­la­tion would also ask the at­tor­ney gen­er­al and the Home­land Se­cur­ity sec­ret­ary to work with the Pri­vacy and Civil Liber­ties Over­sight Board to cre­ate clear­er, more nu­anced rules for the gov­ern­ment in its shar­ing, re­tain­ing, and dis­clos­ing of private data.

Those of­fer­ings may not be enough to ap­pease crit­ics of ex­pan­ded in­form­a­tion shar­ing, however.

“In­stead of pro­pos­ing un­ne­ces­sary com­puter se­cur­ity in­form­a­tion shar­ing bills, we should tackle the low-hanging fruit,” said Mark Jay­cox, a le­gis­lat­ive ana­lyst with the Elec­tron­ic Fron­ti­er Found­a­tion. “This in­cludes strength­en­ing the cur­rent in­form­a­tion shar­ing hubs and en­cour­aging com­pan­ies to use them im­me­di­ately after dis­cov­er­ing a threat.”

Also on Tues­day, the ad­min­is­tra­tion will pro­pose that Con­gress take up le­gis­la­tion seek­ing to broaden law en­force­ment’s au­thor­it­ies to fight cy­ber­crim­in­als by crim­in­al­iz­ing the sale of stolen fin­an­cial data, among oth­er meas­ures. It would also al­low the ad­min­is­tra­tion to ob­tain court ap­prov­al to hunt down com­puter net­works that force web­sites to crash by is­su­ing so-called deni­al-of-ser­vice at­tacks and amend the Com­puter Fraud and Ab­use Act to en­sure that “in­sig­ni­fic­ant con­duct” does not fall with­in the stat­ute’s scope.

The White House ad­di­tion­ally said Tues­day it will hold a sum­mit on cy­ber­se­cur­ity and con­sumer pro­tec­tion on Feb. 13 at Stan­ford Uni­versity.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.