President Obama speaks at the National Cybersecurity and Communications Integration Center, in Arlington Va., on January 13, 2015.

President Obama speaks at the National Cybersecurity and Communications Integration Center, in Arlington Va., on January 13, 2015. Evan Vucci/AP

Science & Tech

The Limits of the White House’s Cybersecurity Plan

Could the White House initiative have stopped the Sony hack? By Dustin Volz

Dustin Volz,
National Journal

|
Dustin Volz
By Dustin Volz

The White House has dedicated much of this week to pushing a framework for cybersecurity legislation that administration officials say could shore up the nation's cyber defenses and help prevent breaches like the recent Sony hack or previous attacks on companies including Target and JP Morgan.

But some analysts aren't convinced that an information-sharing proposal at the center of the push would really have done much to prevent those high-profile hacks, and could actually further threaten customers' privacy by handing over data to government agencies such as the National Security Agency.

Lawmakers in both parties have largely demurred so far, issuing statements that praised the administration for working to tackle cybersecurity but saying that the proposals need further review.

Here's what the plan would do

The keystone of Obama's cyber push is language rolled out Tuesday for proposed legislationthat seeks to entice companies into voluntarily sharing certain computer data with each other and the Homeland Security Department's National Cybersecurity and Communications Integration Center. Companies that opt into the program would earn partial liability protections from lawsuits related to security breaches or privacy complaints from customers.

By sharing key digital information with DHS, the thinking goes, authorities, businesses, and private-sector security experts can work together to identify potential threats and vulnerabilities more quickly—and maybe prevent attacks from happening.

What information would companies share? Part of what the proposed language seeks to do is define what qualifies as a "cyber threat indicator" that the private sector and government would be allowed to share. In Obama's proposal, indicators are data that are considered important for identifying "malicious reconnaissance" or a "technical vulnerability," among a handful of other descriptions.

In practice, these indicators would comprise "technical data, IP addresses, date-time stamps, routing information, and things like that," a senior administration official told reporters Tuesday.

"It's primarily not going to be content," the official added.

Obama's plan does say that information can only be shared after "reasonable efforts" have been made to scrub anything that would identify people who are caught incidentally in the data swap and who are "reasonably believed to be unrelated to the cyber threat."

The administration's language also would require DHS to share relevant information with other relevant government agencies, such as the Pentagon and the NSA, "in as close to real time as practicable."

That raises a red flag for government-surveillance critics, who are still waiting for post-Snowden NSA reform after a comprehensive bill fell two votes short of advancing in the Senate last November. Some privacy and civil-liberties groups have said they will not support information-sharing proposals until NSA surveillance changes are enacted.

Privacy groups not sold on Obama's plan did say that it marks an improvement over most information-sharing bills that have been considered in Congress in recent years. In particular, several spoke approvingly of it in relation to the Cyber Intelligence Sharing and Protection Act, or CISPA, which has been floating around Congress for years and was reintroduced last week by Rep. Dutch Ruppersberger, D-Md.

But wait, there's more

Obama is also sending language to Congress that would bolster law enforcement's powers to criminalize the sale of financial data stolen through a hack. It would additionally criminalize the sale of botnets, which are networks of computers—sometimes totaling in the millions—that are often deployed for sinister purposes, such as spreading viruses or spam messages.

"Information received through this channel, in terms of law enforcement, can only be used to look at cybercrimes, major threats to minors or threats of bodily harm," the senior administration official said. "So there's some pretty significant law enforcement use limitations put on there."

In addition, Obama wants to allow authorities to obtain court approval to go after multiple users of a computer network that is implicated in forcing websites to crash via denial-of-service attacks. The president wants to update the Racketeer Influence and Corrupt Organizations Act—more commonly known by its RICO shorthand—to include cybercrime and set penalties in line with other forms of organized crime. RICO provides prosecutors with tools to charge some members of a crime syndicate with the crimes committed by other members.

Obama's cybersecurity package also calls for an update to the controversial Computer Fraud and Abuse Act by more clearly defining and, in some cases, narrowing the scope of the statute. The language would rein in prosecutions for activity considered "insignificant conduct," such as violating a terms of service agreement.

Critics have long complained the Computer Fraud and Abuse Act is vague and has been unfairly applied to slam computer users for benign offenses. But while the apparent intent to limit the law's reach was applauded, digital-freedom activists said the proposed updates may create other problems.

"It is potentially dangerous to attach a law as broad and vague as RICO to a law that is as broad and vague as CFAA," said Harley Geiger, a policy counsel at the Center for Democracy & Transparency, noting that online networks are not as well defined as ordinary criminal rings.

Geiger also said that recent rulings by the 9th and 4th U.S. Circuit Courts of Appeal went further than the White House's proposal in narrowing the applicability of the Computer Fraud and Abuse Act.

But there's more. Earlier this week, the president also proposed legislative language that would require companies to notify their customers within 30 days if their personal information has been exposed or stolen due to a data breach. The regulation has the backing of many companies because it would streamline current notification standards that vary across states and the District of Columbia.

Although Obama is pushing a bevy of cyber initiatives, the overall asks are less comprehensive than a cybersecurity bill that died in Congress in 2012. That measure, backed chiefly by Sens. Joe Lieberman and Susan Collins, was blocked by a Republican filibuster, despite months of negotiations that pared it down. Pro-business interest groups, including the U.S. Chamber of Commerce, lobbied against the bill because of concerns that the language would have been overly burdensome for businesses.

Obama told lawmakers Tuesday he intends to underscore cybersecurity in his State of the Union address next week. But despite the desire for quick action, the breadth of the legislation will likely elicit months of extensive review and debate within Congress—and more arm-twisting to get all stakeholders on board.

NEXT STORY: The Technology That Just Found the Missing AirAsia Plane

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.