Hoping to capitalize on the recent Sony breach, President Obama on Tuesday unveiled proposed legislation that would create a friendlier environment for companies and government to share information about potential cyberthreats and security vulnerabilities.
The proposal, officially announced today by Obama in a speech at the National Cybersecurity and Communications Integration Center, hopes to cajole the private sector into participating in information-sharing by offering them liability protection. The plan seeks to assuage privacy concerns by requiring participating companies to comply with a set of restrictions, such as removing “unnecessary personal information,” though a White House fact sheet did not specify what those restrictions would entail.
But the package is already facing headwinds from privacy advocates, who for years have cautioned that information-sharing legislation could bolster the government’s surveillance powers. Several groups have insisted that no information-sharing bill should be considered before substantial National Security Agency reform.
“The Sony hacks demonstrates a failure of corporate digital security, and not a need for greater government information-sharing,” said Amie Stepanovich, senior policy counsel with Access, a digital-freedom group. “The administration’s attempt to use Sony to justify increased transfer of information to the government is difficult to understand, particularly in the absence of substantive NSA reform, a subject the administration has yet to comment on in the new year.”
Stepanovich said the White House proposal appeared to be more concerned with privacy than a controversial cybersecurity bill that was reintroduced last week by Rep. Dutch Ruppersberger, a Maryland Democrat, but that “the devil is in the details.” The White House has historically not been supportive of that legislation, known as the Cyber Intelligence Sharing and Protection Act.
Obama’s proposal comes amid a week of announcements from the administration dealing with data security—and more troubling headlines. On Monday, the president announced a plan to combat identity theft and improve student privacy, a speech that was quickly followed by the simultaneous hack of U.S. Central Command’s Twitter and YouTube accounts by Islamic State sympathizers.
Both Republicans and Democrats on Capitol Hill have identified cybersecurity as a high priority in the new Congress, and the desire to pass legislation has only increased after a debilitating hack on Sony Pictures, an intrusion the administration has publicly blamed on North Korea.
Congress has repeatedly come up short on passing substantial cybersecurity packages, in part because of concerns from privacy groups. Both the Senate and the House held a carousel of hearings last year following the massive Target data breach that hit during the 2013 holiday shopping season, but negotiations failed to gain much traction, despite a steady trickle of breaches at Home Depot, JP Morgan, and Neiman Marcus.
But administration officials and advocates of tougher cybersecurity laws see reason for hope this year, as members of both parties have suggested that the Sony hack is a game-changer and a reminder that there is room for bipartisan compromise. Obama’s plan appears to offer narrower, more targeted liability protection than a similar proposal offered in 2011, a move intended to make information-sharing more palatable to companies and privacy advocates.
The liability coverage would include so-called cyberthreat indicators, such as IP addresses and routing information, but not actual content, according to a senior administration official. Still, a fact sheet saying the bill would require the Homeland Security Department to share information “in as near real time as possible” with other agencies is likely to raise concerns with privacy groups, as that would include the NSA, the FBI, and the Pentagon.
The proposed legislation would also ask the attorney general and the Homeland Security secretary to work with the Privacy and Civil Liberties Oversight Board to create clearer, more nuanced rules for the government in its sharing, retaining, and disclosing of private data.
Those offerings may not be enough to appease critics of expanded information sharing, however.
“Instead of proposing unnecessary computer security information sharing bills, we should tackle the low-hanging fruit,” said Mark Jaycox, a legislative analyst with the Electronic Frontier Foundation. “This includes strengthening the current information sharing hubs and encouraging companies to use them immediately after discovering a threat.”
Also on Tuesday, the administration will propose that Congress take up legislation seeking to broaden law enforcement’s authorities to fight cybercriminals by criminalizing the sale of stolen financial data, among other measures. It would also allow the administration to obtain court approval to hunt down computer networks that force websites to crash by issuing so-called denial-of-service attacks and amend the Computer Fraud and Abuse Act to ensure that “insignificant conduct” does not fall within the statute’s scope.
The White House additionally said Tuesday it will hold a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University.