President Obama in his State of the Union address described a cybersecurity policy initiative designed to confront an existential threat to the nation and an immediate challenge to the digital lifestyles of everyone who lives here.
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said in his Jan. 20 speech. “We are making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism.”
The president put the challenge to lawmakers: “And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
The first portion of the Obama administration’s plan is to encourage information sharing between the private sector and federal government by providing “targeted” liability protection to industry.
Companies that send data on “threat indicators” to the National Cybersecurity and Communications Integration Center, run by the Department of Homeland Security, or to new industry-run “information sharing and analysis organizations” would be protected from regulatory actions, civil suits or other legal penalties.
Industry groups say liability protection is essential to encourage “real-time” sharing of cyberthreat indicators to repel or remediate attacks.
Adm. Michael Rogers, head of the National Security Agency and U.S. Cyber Command; FBI leaders and others on the front lines of the cybersecurity struggle have long said legally protected information sharing is the most important missing piece from the policy puzzle.
Phyllis Schneck, DHS’s top cybersecurity official, was once a senior executive with McAfee who saw firsthand how companies hesitated before sharing data with the government.
“The next day we were not able to share information about certain oil and gas companies in the sector being targeted,” Schneck testified before a congressional panel in 2013. “Our lawyers didn’t let us because they worried we’d get sued the next day if the stock prices of the energy sector went down.”
The Obama White House has moved slowly — some would say reluctantly — on offering liability protection.
Republicans are already developing their own information-sharing bills — and they will brush aside the administration’s insistence on merely offering “targeted” relief.
House Homeland Security Chairman Michael McCaul, R-Texas, is working on a bill that would protect companies from liability arising from “the act of sharing,” similar to the Obama proposal, but also from liability in the event of an actual cyber incident.
McCaul’s proposal would allow companies to apply for liability protection under the DHS-administered SAFETY Act, which would be predicated on taking reasonable steps to secure computer networks.
Rep. Devin Nunes, R-Calif., the new chairman of the House Intelligence Committee, is expected to work on similar legislation covering industry’s interactions with the NSA, according to sources.
Cyber information-sharing proposals are likely to emerge soon from the Senate homeland security and intelligence panels —offering more liability protection than the administration has proposed.
“The fact that the administration included a degree of liability protection shows they’re probably willing to discuss [the details],” a financial sector representative said. “Hopefully they can work together.”
Obama is proposing new criminal penalties to raise the price for cybercriminals.
His proposal “would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity,” according to a White House fact sheet.
It would also update antiquated racketeering and computer fraud laws to recognize the treacherous new landscape of cybercrime.
The third part of the president’s proposal would create a national data-breach notification standard to replace dozens of state laws.
The proposal would require retailers, banks and other companies to notify customers within 30 days of a breach.
Business groups favor a uniform standard while some online privacy groups are concerned that the proposal would undermine tougher laws in states like California.
Senate Judiciary Chairman Charles Grassley, R-Iowa, is drafting a breach-notification bill, while Energy and Commerce Chairman Fred Upton, R-Mich., and commerce subcommittee Chairman Michael Burgess, R-Texas, are developing a House version.
“Cyber crime is a real and escalating concern for the American people, and recent high-profile security breaches have only reinforced the urgent need for congressional action,” Upton and Burgess said in a statement.
Major business groups issued statements praising the administration for engaging on cyber issues, particularly information sharing with liability protection.
“It is helpful to see the administration getting engaged on cybersecurity information-sharing legislation,” said Ann M. Beauchesne, U.S. Chamber of Commerce vice president for national security and emergency preparedness. “Today, companies don’t share on a sufficiently wide scale because of fear of lawsuits.”
“Dead on arrival” is a common refrain when it comes to the laundry lists typically unveiled in State of the Union speeches.
Lawmakers appear certain to address the cyber issues raised by the president — and equally certain to move proposals that resemble Obama’s in name only.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
