Technology

Obama’s Cybersecurity Plan, Explained

Could the White House initiative have stopped the Sony hack?

Shutterstock/Arda Savasciogullari
Add to Briefcase
Dustin Volz
Jan. 14, 2015, 4:59 a.m.

The White House has ded­ic­ated much of this week to push­ing a frame­work for cy­ber­se­cur­ity le­gis­la­tion that ad­min­is­tra­tion of­fi­cials say could shore up the na­tion’s cy­ber de­fenses and help pre­vent breaches like the re­cent Sony hack or pre­vi­ous at­tacks on com­pan­ies in­clud­ing Tar­get and JP Mor­gan.

But some ana­lysts aren’t con­vinced that an in­form­a­tion-shar­ing pro­pos­al at the cen­ter of the push would really have done much to pre­vent those high-pro­file hacks, and could ac­tu­ally fur­ther threaten cus­tom­ers’ pri­vacy by hand­ing over data to gov­ern­ment agen­cies such as the Na­tion­al Se­cur­ity Agency.

Law­makers in both parties have largely de­murred so far, is­su­ing state­ments that praised the ad­min­is­tra­tion for work­ing to tackle cy­ber­se­cur­ity but say­ing that the pro­pos­als need fur­ther re­view.

Here’s what the plan would do

The key­stone of Obama’s cy­ber push is lan­guage rolled out Tues­day for pro­posed le­gis­la­tion that seeks to en­tice com­pan­ies in­to vol­un­tar­ily shar­ing cer­tain com­puter data with each oth­er and the Home­land Se­cur­ity De­part­ment’s Na­tion­al Cy­ber­se­cur­ity and Com­mu­nic­a­tions In­teg­ra­tion Cen­ter. Com­pan­ies that opt in­to the pro­gram would earn par­tial li­ab­il­ity pro­tec­tions from law­suits re­lated to se­cur­ity breaches or pri­vacy com­plaints from cus­tom­ers.

By shar­ing key di­git­al in­form­a­tion with DHS, the think­ing goes, au­thor­it­ies, busi­nesses, and private-sec­tor se­cur­ity ex­perts can work to­geth­er to identi­fy po­ten­tial threats and vul­ner­ab­il­it­ies more quickly — and maybe pre­vent at­tacks from hap­pen­ing.

What in­form­a­tion would com­pan­ies share? Part of what the pro­posed lan­guage seeks to do is define what qual­i­fies as a “cy­ber threat in­dic­at­or” that the private sec­tor and gov­ern­ment would be al­lowed to share. In Obama’s pro­pos­al, in­dic­at­ors are data that are con­sidered im­port­ant for identi­fy­ing “ma­li­cious re­con­nais­sance” or a “tech­nic­al vul­ner­ab­il­ity,” among a hand­ful of oth­er de­scrip­tions.

In prac­tice, these in­dic­at­ors would com­prise “tech­nic­al data, IP ad­dresses, date-time stamps, rout­ing in­form­a­tion, and things like that,” a seni­or ad­min­is­tra­tion of­fi­cial told re­port­ers Tues­day.

“It’s primar­ily not go­ing to be con­tent,” the of­fi­cial ad­ded.

Obama’s plan does say that in­form­a­tion can only be shared after “reas­on­able ef­forts” have been made to scrub any­thing that would identi­fy people who are caught in­cid­ent­ally in the data swap and who are “reas­on­ably be­lieved to be un­re­lated to the cy­ber threat.”

The ad­min­is­tra­tion’s lan­guage also would re­quire DHS to share rel­ev­ant in­form­a­tion with oth­er rel­ev­ant gov­ern­ment agen­cies, such as the Pentagon and the NSA, “in as close to real time as prac­tic­able.”

That raises a red flag for gov­ern­ment-sur­veil­lance crit­ics, who are still wait­ing for post-Snowden NSA re­form after a com­pre­hens­ive bill fell two votes short of ad­van­cing in the Sen­ate last Novem­ber. Some pri­vacy and civil-liber­ties groups have said they will not sup­port in­form­a­tion-shar­ing pro­pos­als un­til NSA sur­veil­lance changes are en­acted.

Pri­vacy groups not sold on Obama’s plan did say that it marks an im­prove­ment over most in­form­a­tion-shar­ing bills that have been con­sidered in Con­gress in re­cent years. In par­tic­u­lar, sev­er­al spoke ap­prov­ingly of it in re­la­tion to the Cy­ber In­tel­li­gence Shar­ing and Pro­tec­tion Act, or CISPA, which has been float­ing around Con­gress for years and was re­in­tro­duced last week by Rep. Dutch Rup­pers­ber­ger, D-Md.

“The pres­id­ent’s pro­pos­al fails to spell out clear, ro­bust pri­vacy pro­tec­tions to en­sure any new in­form­a­tion-shar­ing au­thor­ity be­come just an­oth­er tool for na­tion­al se­cur­ity sur­veil­lance,” said Gabe Rottman, le­gis­lat­ive coun­sel at the Amer­ic­an Civil Liber­ties Uni­on, in a state­ment. “That said, it does ap­pear to be bet­ter than meas­ures in the House and Sen­ate that would man­date the auto­mat­ic shar­ing of sens­it­ive private in­form­a­tion with the in­tel­li­gence agen­cies and mil­it­ary.”

Obama, in years past, had re­peatedly threatened to veto the meas­ure if it ever landed on his desk, in part be­cause of pri­vacy ques­tions as well as worry that its leg­al li­ab­il­ity pro­tec­tions were overly broad. But the ad­min­is­tra­tion be­lieves its pro­pos­al deals with both those con­cerns and that the spate of re­cent hacks has opened a win­dow of op­por­tun­ity for bi­par­tis­an co­oper­a­tion in Con­gress.

In a bid to as­suage pri­vacy fears, Obama’s tem­plate would also ask the at­tor­ney gen­er­al and the Home­land Se­cur­ity sec­ret­ary to work with the Pri­vacy and Civil Liber­ties Over­sight Board to cre­ate clear­er, more nu­anced rules for the gov­ern­ment in its shar­ing, re­tain­ing, and dis­clos­ing of the data.

But wait, there’s more

Obama is also send­ing lan­guage to Con­gress that would bol­ster law en­force­ment’s powers to crim­in­al­ize the sale of fin­an­cial data stolen through a hack. It would ad­di­tion­ally crim­in­al­ize the sale of bot­nets, which are net­works of com­puters — some­times total­ing in the mil­lions — that are of­ten de­ployed for sin­is­ter pur­poses, such as spread­ing vir­uses or spam mes­sages.

“In­form­a­tion re­ceived through this chan­nel, in terms of law en­force­ment, can only be used to look at cy­ber­crimes, ma­jor threats to minors or threats of bod­ily harm,” the seni­or ad­min­is­tra­tion of­fi­cial said. “So there’s some pretty sig­ni­fic­ant law en­force­ment use lim­it­a­tions put on there.”

In ad­di­tion, Obama wants to al­low au­thor­it­ies to ob­tain court ap­prov­al to go after mul­tiple users of a com­puter net­work that is im­plic­ated in for­cing web­sites to crash via deni­al-of-ser­vice at­tacks. The pres­id­ent wants to up­date the Rack­et­eer In­flu­ence and Cor­rupt Or­gan­iz­a­tions Act — more com­monly known by its RICO short­hand — to in­clude cy­ber­crime and set pen­al­ties in line with oth­er forms of or­gan­ized crime. RICO provides pro­sec­utors with tools to charge some mem­bers of a crime syn­dic­ate with the crimes com­mit­ted by oth­er mem­bers.

Obama’s cy­ber­se­cur­ity pack­age also calls for an up­date to the con­tro­ver­sial Com­puter Fraud and Ab­use Act by more clearly de­fin­ing and, in some cases, nar­row­ing the scope of the stat­ute. The lan­guage would rein in pro­sec­u­tions for activ­ity con­sidered “in­sig­ni­fic­ant con­duct,” such as vi­ol­at­ing a terms of ser­vice agree­ment.

Crit­ics have long com­plained the Com­puter Fraud and Ab­use Act is vague and has been un­fairly ap­plied to slam com­puter users for be­nign of­fenses. But while the ap­par­ent in­tent to lim­it the law’s reach was ap­plauded, di­git­al-free­dom act­iv­ists said the pro­posed up­dates may cre­ate oth­er prob­lems.

“It is po­ten­tially dan­ger­ous to at­tach a law as broad and vague as RICO to a law that is as broad and vague as CFAA,” said Har­ley Gei­ger, a policy coun­sel at the Cen­ter for Demo­cracy & Tech­no­logy, not­ing that on­line net­works are not as well defined as or­din­ary crim­in­al rings.

Gei­ger also said that re­cent rul­ings by the 9th and 4th U.S. Cir­cuit Courts of Ap­peal went fur­ther than the White House’s pro­pos­al in nar­row­ing the ap­plic­ab­il­ity of the Com­puter Fraud and Ab­use Act.

But there’s more. Earli­er this week, the pres­id­ent also pro­posed le­gis­lat­ive lan­guage that would re­quire com­pan­ies to no­ti­fy their cus­tom­ers with­in 30 days if their per­son­al in­form­a­tion has been ex­posed or stolen due to a data breach. The reg­u­la­tion has the back­ing of many com­pan­ies be­cause it would stream­line cur­rent no­ti­fic­a­tion stand­ards that vary across states and the Dis­trict of Columbia.

Al­though Obama is push­ing a bevy of cy­ber ini­ti­at­ives, the over­all asks are less com­pre­hens­ive than a cy­ber­se­cur­ity bill that died in Con­gress in 2012. That meas­ure, backed chiefly by Sens. Joe Lieber­man and Susan Collins, was blocked by a Re­pub­lic­an fili­buster, des­pite months of ne­go­ti­ations that pared it down. Pro-busi­ness in­terest groups, in­clud­ing the U.S. Cham­ber of Com­merce, lob­bied against the bill be­cause of con­cerns that the lan­guage would have been overly bur­den­some for busi­nesses.

Obama told law­makers Tues­day he in­tends to un­der­score cy­ber­se­cur­ity in his State of the Uni­on ad­dress next week. But des­pite the de­sire for quick ac­tion, the breadth of the le­gis­la­tion will likely eli­cit months of ex­tens­ive re­view and de­bate with­in Con­gress — and more arm-twist­ing to get all stake­hold­ers on board.

×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login