As members of the U.S. Congress started to prepare for the upcoming legislative session, President Obama lost little time in putting cybersecurity near the top of a to-do list for lawmakers. During a visit to the federal National Cybersecurity Communications Integration Center, Obama called for additional legislation to improve information technology protection.
Speaking to NCCIC staff last week, Obama said that “protecting our digital infrastructure is a national security priority and a national economic priority.”
He noted that during the past six years, “we’ve pursued a comprehensive strategy, boosting our defenses in government, sharing more information with the private sector to help them defend themselves, [and] working with industry through what we call the Cybersecurity Framework, not just to respond to threats and recover from attacks, but to prevent and disrupt them in the first place.”
Information-Sharing and Cybercrime Proposals
Obama outlined two major objectives for legislative action.
The first proposal would facilitate better information sharing between the private sector and government on cyberthreats. It also would enhance collaboration and information sharing within the private sector, according to the White House.
The proposal provides measures to ensure that the government would protect privacy and civil liberties while safeguarding critical information networks. The program includes liability provisions that protect private companies from legal actions that might arise from sharing consumer information for purposes of coping with cyberthreats.
It “builds and improves upon legislation that we’ve put forward in the past,” and reflects “years of extensive discussions with industry,” Obama said. Both the U.S. House and Senate last year addressed cyberthreat information sharing, but proposed measures failed to become law.
The second administration proposal provides for the prosecution of parties who sell botnets, and criminalizes the overseas sale of stolen U.S. financial information. Additionally, the measure would expand federal law enforcement to deter the sale of spyware used to stalk or commit ID theft, and give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.
The Obama proposal reaffirms components of previous proposals to update the Racketeering Influenced and Corrupt Organizations Act, or RICO, so that it applies to cybercrimes. It clarifies the penalties for computer crimes, and it makes sure those penalties are in line with those imposed for similar non-cybercrimes.
It modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the law, while clarifying that the CFAA can be used to prosecute insiders who abuse their ability to access information.
Support With Reservations
Industry reaction to the White House proposals was guarded. Both private sector parties and privacy advocacy groups expressed support for the goal of improved cyberprotection but took issue with components of the White House program.
“Our industry shares the president’s commitment to protecting the security and privacy of Americans’ personal information, and we appreciate the White House’s engagement on this critical issue,” said Frank Keating, president and CEO of the American Bankers Association.
While the ABA supports the information-sharing objective, the administration’s approach to liability protection remains an issue of concern. Coverage of business-to-business, as well as business-to-government information sharing, needs to be addressed, said Doug Johnson, ABA’s senior vice president for payments and cybersecurity policy.
The Financial Services Roundtable, which represents banking, insurance and credit card companies, expressed similar concerns, indicating that the Obama proposal was simply a starting point for addressing the issue in Congress.
“It is critical that companies have the tools they need to battle cybercriminals and shield customers from breaches. Strong information-sharing laws will be a critical part of winning that battle,” said FSR President and CEO Tim Pawlenty.
The financial industry will be working closely with Congress this year to ensure that needed information-sharing legislation, with appropriate protections, moves forward, the FSR said.
The administration’s proposal “is right that sharing is important, so long as we agree that we’re all in this together and that we have some degree of common cause as we face cyberadversaries,” said Mike Lloyd, chief technology officer at RedSeal.
Privacy advocates immediately registered concerns about the administration’s program.
The Electronic Frontier Foundation contended that expanded information sharing would pose a serious risk of transferring more personal information to intelligence and law enforcement agencies.
The White House rightly criticized a 2014 Senate proposal that allowed the unnecessary transfer of personal information to the government, said the EFF.
However, the latest administration proposal is “very similar to the language” of the 2014 Senate measure, EFF legislative analyst Mark Jaycox told the E-Commerce Times.
Another advocacy group, the Center for Democracy & Technology, asserted that the administration’s proposal had significant problems regarding law enforcement’s access to Internet user information.
“The White House proposal relies heavily on privacy guidelines that are currently unwritten. What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs,” said CDT Senior Counsel Harley Geiger.
Congress Will Set Its Own Course
Given recent cyberhacking attacks of Sony and the U.S. military’s Central Command, and the terrorist attack in France, the environment for congressional action on cyberlegislation is positive.
“I think there already was good momentum in Congress for acting on cyberlegislation, and the White House proposal just added to it. There is a better chance of enactment of legislation this year than there was in 2014,” ABA’s Johnson said.
However, key lawmakers made it clear that the White House proposal was unlikely to make it through the legislative process without modification.
“Enabling effective information sharing between and among private companies and the federal government with real liability protections can improve our nation’s cybersecurity by providing businesses the tools they need to defend themselves, and by providing government with a better assessment of the threats we are facing,” said Sen. Ron Johnson, R-Wis., chairman of the Senate Homeland Security and Governmental Affairs Committee.
“The president’s proposal is an important first step in developing that legislation,” he added.
“Cyberattacks are a growing danger to the United States, our economy and our national security. This Congress needs to strengthen our defenses against these attacks by passing an effective information sharing bill,” said Rep. Devin Nunes, R-Calif., chairman of the House Permanent Select Committee on Intelligence.
I am glad to see President Obama putting forth his ideas to address this critical issue,” he added. “They will receive close consideration as the House Intelligence Committee crafts a cyberbill.”