Obama’s Cybersecurity Plan, Explained

Could the White House initiative have stopped the Sony hack?

Shutterstock/Arda Savasciogullari
Add to Briefcase
Dustin Volz
Jan. 14, 2015, 4:59 a.m.

The White House has ded­ic­ated much of this week to push­ing a frame­work for cy­ber­se­cur­ity le­gis­la­tion that ad­min­is­tra­tion of­fi­cials say could shore up the na­tion’s cy­ber de­fenses and help pre­vent breaches like the re­cent Sony hack or pre­vi­ous at­tacks on com­pan­ies in­clud­ing Tar­get and JP Mor­gan.

But some ana­lysts aren’t con­vinced that an in­form­a­tion-shar­ing pro­pos­al at the cen­ter of the push would really have done much to pre­vent those high-pro­file hacks, and could ac­tu­ally fur­ther threaten cus­tom­ers’ pri­vacy by hand­ing over data to gov­ern­ment agen­cies such as the Na­tion­al Se­cur­ity Agency.

Law­makers in both parties have largely de­murred so far, is­su­ing state­ments that praised the ad­min­is­tra­tion for work­ing to tackle cy­ber­se­cur­ity but say­ing that the pro­pos­als need fur­ther re­view.

Here’s what the plan would do

The key­stone of Obama’s cy­ber push is lan­guage rolled out Tues­day for pro­posed le­gis­la­tion that seeks to en­tice com­pan­ies in­to vol­un­tar­ily shar­ing cer­tain com­puter data with each oth­er and the Home­land Se­cur­ity De­part­ment’s Na­tion­al Cy­ber­se­cur­ity and Com­mu­nic­a­tions In­teg­ra­tion Cen­ter. Com­pan­ies that opt in­to the pro­gram would earn par­tial li­ab­il­ity pro­tec­tions from law­suits re­lated to se­cur­ity breaches or pri­vacy com­plaints from cus­tom­ers.

By shar­ing key di­git­al in­form­a­tion with DHS, the think­ing goes, au­thor­it­ies, busi­nesses, and private-sec­tor se­cur­ity ex­perts can work to­geth­er to identi­fy po­ten­tial threats and vul­ner­ab­il­it­ies more quickly — and maybe pre­vent at­tacks from hap­pen­ing.

What in­form­a­tion would com­pan­ies share? Part of what the pro­posed lan­guage seeks to do is define what qual­i­fies as a “cy­ber threat in­dic­at­or” that the private sec­tor and gov­ern­ment would be al­lowed to share. In Obama’s pro­pos­al, in­dic­at­ors are data that are con­sidered im­port­ant for identi­fy­ing “ma­li­cious re­con­nais­sance” or a “tech­nic­al vul­ner­ab­il­ity,” among a hand­ful of oth­er de­scrip­tions.

In prac­tice, these in­dic­at­ors would com­prise “tech­nic­al data, IP ad­dresses, date-time stamps, rout­ing in­form­a­tion, and things like that,” a seni­or ad­min­is­tra­tion of­fi­cial told re­port­ers Tues­day.

“It’s primar­ily not go­ing to be con­tent,” the of­fi­cial ad­ded.

Obama’s plan does say that in­form­a­tion can only be shared after “reas­on­able ef­forts” have been made to scrub any­thing that would identi­fy people who are caught in­cid­ent­ally in the data swap and who are “reas­on­ably be­lieved to be un­re­lated to the cy­ber threat.”

The ad­min­is­tra­tion’s lan­guage also would re­quire DHS to share rel­ev­ant in­form­a­tion with oth­er rel­ev­ant gov­ern­ment agen­cies, such as the Pentagon and the NSA, “in as close to real time as prac­tic­able.”

That raises a red flag for gov­ern­ment-sur­veil­lance crit­ics, who are still wait­ing for post-Snowden NSA re­form after a com­pre­hens­ive bill fell two votes short of ad­van­cing in the Sen­ate last Novem­ber. Some pri­vacy and civil-liber­ties groups have said they will not sup­port in­form­a­tion-shar­ing pro­pos­als un­til NSA sur­veil­lance changes are en­acted.

Pri­vacy groups not sold on Obama’s plan did say that it marks an im­prove­ment over most in­form­a­tion-shar­ing bills that have been con­sidered in Con­gress in re­cent years. In par­tic­u­lar, sev­er­al spoke ap­prov­ingly of it in re­la­tion to the Cy­ber In­tel­li­gence Shar­ing and Pro­tec­tion Act, or CISPA, which has been float­ing around Con­gress for years and was re­in­tro­duced last week by Rep. Dutch Rup­pers­ber­ger, D-Md.

“The pres­id­ent’s pro­pos­al fails to spell out clear, ro­bust pri­vacy pro­tec­tions to en­sure any new in­form­a­tion-shar­ing au­thor­ity be­come just an­oth­er tool for na­tion­al se­cur­ity sur­veil­lance,” said Gabe Rottman, le­gis­lat­ive coun­sel at the Amer­ic­an Civil Liber­ties Uni­on, in a state­ment. “That said, it does ap­pear to be bet­ter than meas­ures in the House and Sen­ate that would man­date the auto­mat­ic shar­ing of sens­it­ive private in­form­a­tion with the in­tel­li­gence agen­cies and mil­it­ary.”

Obama, in years past, had re­peatedly threatened to veto the meas­ure if it ever landed on his desk, in part be­cause of pri­vacy ques­tions as well as worry that its leg­al li­ab­il­ity pro­tec­tions were overly broad. But the ad­min­is­tra­tion be­lieves its pro­pos­al deals with both those con­cerns and that the spate of re­cent hacks has opened a win­dow of op­por­tun­ity for bi­par­tis­an co­oper­a­tion in Con­gress.

In a bid to as­suage pri­vacy fears, Obama’s tem­plate would also ask the at­tor­ney gen­er­al and the Home­land Se­cur­ity sec­ret­ary to work with the Pri­vacy and Civil Liber­ties Over­sight Board to cre­ate clear­er, more nu­anced rules for the gov­ern­ment in its shar­ing, re­tain­ing, and dis­clos­ing of the data.

But wait, there’s more

Obama is also send­ing lan­guage to Con­gress that would bol­ster law en­force­ment’s powers to crim­in­al­ize the sale of fin­an­cial data stolen through a hack. It would ad­di­tion­ally crim­in­al­ize the sale of bot­nets, which are net­works of com­puters — some­times total­ing in the mil­lions — that are of­ten de­ployed for sin­is­ter pur­poses, such as spread­ing vir­uses or spam mes­sages.

“In­form­a­tion re­ceived through this chan­nel, in terms of law en­force­ment, can only be used to look at cy­ber­crimes, ma­jor threats to minors or threats of bod­ily harm,” the seni­or ad­min­is­tra­tion of­fi­cial said. “So there’s some pretty sig­ni­fic­ant law en­force­ment use lim­it­a­tions put on there.”

In ad­di­tion, Obama wants to al­low au­thor­it­ies to ob­tain court ap­prov­al to go after mul­tiple users of a com­puter net­work that is im­plic­ated in for­cing web­sites to crash via deni­al-of-ser­vice at­tacks. The pres­id­ent wants to up­date the Rack­et­eer In­flu­ence and Cor­rupt Or­gan­iz­a­tions Act — more com­monly known by its RICO short­hand — to in­clude cy­ber­crime and set pen­al­ties in line with oth­er forms of or­gan­ized crime. RICO provides pro­sec­utors with tools to charge some mem­bers of a crime syn­dic­ate with the crimes com­mit­ted by oth­er mem­bers.

Obama’s cy­ber­se­cur­ity pack­age also calls for an up­date to the con­tro­ver­sial Com­puter Fraud and Ab­use Act by more clearly de­fin­ing and, in some cases, nar­row­ing the scope of the stat­ute. The lan­guage would rein in pro­sec­u­tions for activ­ity con­sidered “in­sig­ni­fic­ant con­duct,” such as vi­ol­at­ing a terms of ser­vice agree­ment.

Crit­ics have long com­plained the Com­puter Fraud and Ab­use Act is vague and has been un­fairly ap­plied to slam com­puter users for be­nign of­fenses. But while the ap­par­ent in­tent to lim­it the law’s reach was ap­plauded, di­git­al-free­dom act­iv­ists said the pro­posed up­dates may cre­ate oth­er prob­lems.

“It is po­ten­tially dan­ger­ous to at­tach a law as broad and vague as RICO to a law that is as broad and vague as CFAA,” said Har­ley Gei­ger, a policy coun­sel at the Cen­ter for Demo­cracy & Tech­no­logy, not­ing that on­line net­works are not as well defined as or­din­ary crim­in­al rings.

Gei­ger also said that re­cent rul­ings by the 9th and 4th U.S. Cir­cuit Courts of Ap­peal went fur­ther than the White House’s pro­pos­al in nar­row­ing the ap­plic­ab­il­ity of the Com­puter Fraud and Ab­use Act.

But there’s more. Earli­er this week, the pres­id­ent also pro­posed le­gis­lat­ive lan­guage that would re­quire com­pan­ies to no­ti­fy their cus­tom­ers with­in 30 days if their per­son­al in­form­a­tion has been ex­posed or stolen due to a data breach. The reg­u­la­tion has the back­ing of many com­pan­ies be­cause it would stream­line cur­rent no­ti­fic­a­tion stand­ards that vary across states and the Dis­trict of Columbia.

Al­though Obama is push­ing a bevy of cy­ber ini­ti­at­ives, the over­all asks are less com­pre­hens­ive than a cy­ber­se­cur­ity bill that died in Con­gress in 2012. That meas­ure, backed chiefly by Sens. Joe Lieber­man and Susan Collins, was blocked by a Re­pub­lic­an fili­buster, des­pite months of ne­go­ti­ations that pared it down. Pro-busi­ness in­terest groups, in­clud­ing the U.S. Cham­ber of Com­merce, lob­bied against the bill be­cause of con­cerns that the lan­guage would have been overly bur­den­some for busi­nesses.

Obama told law­makers Tues­day he in­tends to un­der­score cy­ber­se­cur­ity in his State of the Uni­on ad­dress next week. But des­pite the de­sire for quick ac­tion, the breadth of the le­gis­la­tion will likely eli­cit months of ex­tens­ive re­view and de­bate with­in Con­gress — and more arm-twist­ing to get all stake­hold­ers on board.


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.