President Obama’s New Cybersecurity Proposal Is Already Facing Skepticism

The information-sharing proposal to be announced Tuesday comes in the wake of last year’s Sony hack—but already has privacy advocates sounding alarms.

National Journal
Dustin Volz
Jan. 13, 2015, 5:58 a.m.

Hop­ing to cap­it­al­ize on the re­cent Sony breach, Pres­id­ent Obama on Tues­day un­veiled pro­posed le­gis­la­tion that would cre­ate a friend­li­er en­vir­on­ment for com­pan­ies and gov­ern­ment to share in­form­a­tion about po­ten­tial cy­ber­threats and se­cur­ity vul­ner­ab­il­it­ies.

The pro­pos­al, of­fi­cially an­nounced today by Obama in a speech at the Na­tion­al Cy­ber­se­cur­ity and Com­mu­nic­a­tions In­teg­ra­tion Cen­ter, hopes to ca­jole the private sec­tor in­to par­ti­cip­at­ing in in­form­a­tion-shar­ing by of­fer­ing them li­ab­il­ity pro­tec­tion. The plan seeks to as­suage pri­vacy con­cerns by re­quir­ing par­ti­cip­at­ing com­pan­ies to com­ply with a set of re­stric­tions, such as re­mov­ing “un­ne­ces­sary per­son­al in­form­a­tion,” though a White House fact sheet did not spe­cify what those re­stric­tions would en­tail.

But the pack­age is already fa­cing head­winds from pri­vacy ad­voc­ates, who for years have cau­tioned that in­form­a­tion-shar­ing le­gis­la­tion could bol­ster the gov­ern­ment’s sur­veil­lance powers. Sev­er­al groups have in­sisted that no in­form­a­tion-shar­ing bill should be con­sidered be­fore sub­stan­tial Na­tion­al Se­cur­ity Agency re­form.

“The Sony hacks demon­strates a fail­ure of cor­por­ate di­git­al se­cur­ity, and not a need for great­er gov­ern­ment in­form­a­tion-shar­ing,” said Amie Stepan­ovich, seni­or policy coun­sel with Ac­cess, a di­git­al-free­dom group. “The ad­min­is­tra­tion’s at­tempt to use Sony to jus­ti­fy in­creased trans­fer of in­form­a­tion to the gov­ern­ment is dif­fi­cult to un­der­stand, par­tic­u­larly in the ab­sence of sub­stant­ive NSA re­form, a sub­ject the ad­min­is­tra­tion has yet to com­ment on in the new year.”

Stepan­ovich said the White House pro­pos­al ap­peared to be more con­cerned with pri­vacy than a con­tro­ver­sial cy­ber­se­cur­ity bill that was re­in­tro­duced last week by Rep. Dutch Rup­pers­ber­ger, a Mary­land Demo­crat, but that “the dev­il is in the de­tails.” The White House has his­tor­ic­ally not been sup­port­ive of that le­gis­la­tion, known as the Cy­ber In­tel­li­gence Shar­ing and Pro­tec­tion Act.

Obama’s pro­pos­al comes amid a week of an­nounce­ments from the ad­min­is­tra­tion deal­ing with data se­cur­ity—and more troub­ling head­lines. On Monday, the pres­id­ent an­nounced a plan to com­bat iden­tity theft and im­prove stu­dent pri­vacy, a speech that was quickly fol­lowed by the sim­ul­tan­eous hack of U.S. Cent­ral Com­mand’s Twit­ter and You­Tube ac­counts by Is­lam­ic State sym­path­izers.

Both Re­pub­lic­ans and Demo­crats on Cap­it­ol Hill have iden­ti­fied cy­ber­se­cur­ity as a high pri­or­ity in the new Con­gress, and the de­sire to pass le­gis­la­tion has only in­creased after a de­bil­it­at­ing hack on Sony Pic­tures, an in­tru­sion the ad­min­is­tra­tion has pub­licly blamed on North Korea.

Con­gress has re­peatedly come up short on passing sub­stan­tial cy­ber­se­cur­ity pack­ages, in part be­cause of con­cerns from pri­vacy groups. Both the Sen­ate and the House held a ca­rou­sel of hear­ings last year fol­low­ing the massive Tar­get data breach that hit dur­ing the 2013 hol­i­day shop­ping sea­son, but ne­go­ti­ations failed to gain much trac­tion, des­pite a steady trickle of breaches at Home De­pot, JP Mor­gan, and Nei­man Mar­cus.

But ad­min­is­tra­tion of­fi­cials and ad­voc­ates of tough­er cy­ber­se­cur­ity laws see reas­on for hope this year, as mem­bers of both parties have sug­ges­ted that the Sony hack is a game-changer and a re­mind­er that there is room for bi­par­tis­an com­prom­ise. Obama’s plan ap­pears to of­fer nar­row­er, more tar­geted li­ab­il­ity pro­tec­tion than a sim­il­ar pro­pos­al offered in 2011, a move in­ten­ded to make in­form­a­tion-shar­ing more pal­at­able to com­pan­ies and pri­vacy ad­voc­ates.

The li­ab­il­ity cov­er­age would in­clude so-called cy­ber­threat in­dic­at­ors, such as IP ad­dresses and rout­ing in­form­a­tion, but not ac­tu­al con­tent, ac­cord­ing to a seni­or ad­min­is­tra­tion of­fi­cial. Still, a fact sheet say­ing the bill would re­quire the Home­land Se­cur­ity De­part­ment to share in­form­a­tion “in as near real time as pos­sible” with oth­er agen­cies is likely to raise con­cerns with pri­vacy groups, as that would in­clude the NSA, the FBI, and the Pentagon.

The pro­posed le­gis­la­tion would also ask the at­tor­ney gen­er­al and the Home­land Se­cur­ity sec­ret­ary to work with the Pri­vacy and Civil Liber­ties Over­sight Board to cre­ate clear­er, more nu­anced rules for the gov­ern­ment in its shar­ing, re­tain­ing, and dis­clos­ing of private data.

Those of­fer­ings may not be enough to ap­pease crit­ics of ex­pan­ded in­form­a­tion shar­ing, however.

“In­stead of pro­pos­ing un­ne­ces­sary com­puter se­cur­ity in­form­a­tion shar­ing bills, we should tackle the low-hanging fruit,” said Mark Jay­cox, a le­gis­lat­ive ana­lyst with the Elec­tron­ic Fron­ti­er Found­a­tion. “This in­cludes strength­en­ing the cur­rent in­form­a­tion shar­ing hubs and en­cour­aging com­pan­ies to use them im­me­di­ately after dis­cov­er­ing a threat.”

Also on Tues­day, the ad­min­is­tra­tion will pro­pose that Con­gress take up le­gis­la­tion seek­ing to broaden law en­force­ment’s au­thor­it­ies to fight cy­ber­crim­in­als by crim­in­al­iz­ing the sale of stolen fin­an­cial data, among oth­er meas­ures. It would also al­low the ad­min­is­tra­tion to ob­tain court ap­prov­al to hunt down com­puter net­works that force web­sites to crash by is­su­ing so-called deni­al-of-ser­vice at­tacks and amend the Com­puter Fraud and Ab­use Act to en­sure that “in­sig­ni­fic­ant con­duct” does not fall with­in the stat­ute’s scope.

The White House ad­di­tion­ally said Tues­day it will hold a sum­mit on cy­ber­se­cur­ity and con­sumer pro­tec­tion on Feb. 13 at Stan­ford Uni­versity.