The White House has dedicated much of this week to pushing a framework for cybersecurity legislation that administration officials say could shore up the nation’s cyber defenses and help prevent breaches like the recent Sony hack or previous attacks on companies including Target and JP Morgan.
But some analysts aren’t convinced that an information-sharing proposal at the center of the push would really have done much to prevent those high-profile hacks, and could actually further threaten customers’ privacy by handing over data to government agencies such as the National Security Agency.
Lawmakers in both parties have largely demurred so far, issuing statements that praised the administration for working to tackle cybersecurity but saying that the proposals need further review.
Here’s what the plan would do
The keystone of Obama’s cyber push is language rolled out Tuesday for proposed legislation that seeks to entice companies into voluntarily sharing certain computer data with each other and the Homeland Security Department’s National Cybersecurity and Communications Integration Center. Companies that opt into the program would earn partial liability protections from lawsuits related to security breaches or privacy complaints from customers.
By sharing key digital information with DHS, the thinking goes, authorities, businesses, and private-sector security experts can work together to identify potential threats and vulnerabilities more quickly — and maybe prevent attacks from happening.
What information would companies share? Part of what the proposed language seeks to do is define what qualifies as a “cyber threat indicator” that the private sector and government would be allowed to share. In Obama’s proposal, indicators are data that are considered important for identifying “malicious reconnaissance” or a “technical vulnerability,” among a handful of other descriptions.
In practice, these indicators would comprise “technical data, IP addresses, date-time stamps, routing information, and things like that,” a senior administration official told reporters Tuesday.
“It’s primarily not going to be content,” the official added.
Obama’s plan does say that information can only be shared after “reasonable efforts” have been made to scrub anything that would identify people who are caught incidentally in the data swap and who are “reasonably believed to be unrelated to the cyber threat.”
The administration’s language also would require DHS to share relevant information with other relevant government agencies, such as the Pentagon and the NSA, “in as close to real time as practicable.”
That raises a red flag for government-surveillance critics, who are still waiting for post-Snowden NSA reform after a comprehensive bill fell two votes short of advancing in the Senate last November. Some privacy and civil-liberties groups have said they will not support information-sharing proposals until NSA surveillance changes are enacted.
Privacy groups not sold on Obama’s plan did say that it marks an improvement over most information-sharing bills that have been considered in Congress in recent years. In particular, several spoke approvingly of it in relation to the Cyber Intelligence Sharing and Protection Act, or CISPA, which has been floating around Congress for years and was reintroduced last week by Rep. Dutch Ruppersberger, D-Md.
“The president’s proposal fails to spell out clear, robust privacy protections to ensure any new information-sharing authority become just another tool for national security surveillance,” said Gabe Rottman, legislative counsel at the American Civil Liberties Union, in a statement. “That said, it does appear to be better than measures in the House and Senate that would mandate the automatic sharing of sensitive private information with the intelligence agencies and military.”
Obama, in years past, had repeatedly threatened to veto the measure if it ever landed on his desk, in part because of privacy questions as well as worry that its legal liability protections were overly broad. But the administration believes its proposal deals with both those concerns and that the spate of recent hacks has opened a window of opportunity for bipartisan cooperation in Congress.
In a bid to assuage privacy fears, Obama’s template would also ask the attorney general and the Homeland Security secretary to work with the Privacy and Civil Liberties Oversight Board to create clearer, more nuanced rules for the government in its sharing, retaining, and disclosing of the data.
But wait, there’s more
Obama is also sending language to Congress that would bolster law enforcement’s powers to criminalize the sale of financial data stolen through a hack. It would additionally criminalize the sale of botnets, which are networks of computers — sometimes totaling in the millions — that are often deployed for sinister purposes, such as spreading viruses or spam messages.
“Information received through this channel, in terms of law enforcement, can only be used to look at cybercrimes, major threats to minors or threats of bodily harm,” the senior administration official said. “So there’s some pretty significant law enforcement use limitations put on there.”
In addition, Obama wants to allow authorities to obtain court approval to go after multiple users of a computer network that is implicated in forcing websites to crash via denial-of-service attacks. The president wants to update the Racketeer Influence and Corrupt Organizations Act — more commonly known by its RICO shorthand — to include cybercrime and set penalties in line with other forms of organized crime. RICO provides prosecutors with tools to charge some members of a crime syndicate with the crimes committed by other members.
Obama’s cybersecurity package also calls for an update to the controversial Computer Fraud and Abuse Act by more clearly defining and, in some cases, narrowing the scope of the statute. The language would rein in prosecutions for activity considered “insignificant conduct,” such as violating a terms of service agreement.
Critics have long complained the Computer Fraud and Abuse Act is vague and has been unfairly applied to slam computer users for benign offenses. But while the apparent intent to limit the law’s reach was applauded, digital-freedom activists said the proposed updates may create other problems.
“It is potentially dangerous to attach a law as broad and vague as RICO to a law that is as broad and vague as CFAA,” said Harley Geiger, a policy counsel at the Center for Democracy & Technology, noting that online networks are not as well defined as ordinary criminal rings.
Geiger also said that recent rulings by the 9th and 4th U.S. Circuit Courts of Appeal went further than the White House’s proposal in narrowing the applicability of the Computer Fraud and Abuse Act.
But there’s more. Earlier this week, the president also proposed legislative language that would require companies to notify their customers within 30 days if their personal information has been exposed or stolen due to a data breach. The regulation has the backing of many companies because it would streamline current notification standards that vary across states and the District of Columbia.
Although Obama is pushing a bevy of cyber initiatives, the overall asks are less comprehensive than a cybersecurity bill that died in Congress in 2012. That measure, backed chiefly by Sens. Joe Lieberman and Susan Collins, was blocked by a Republican filibuster, despite months of negotiations that pared it down. Pro-business interest groups, including the U.S. Chamber of Commerce, lobbied against the bill because of concerns that the language would have been overly burdensome for businesses.
Obama told lawmakers Tuesday he intends to underscore cybersecurity in his State of the Union address next week. But despite the desire for quick action, the breadth of the legislation will likely elicit months of extensive review and debate within Congress — and more arm-twisting to get all stakeholders on board.