It looks like 2015 is beginning where 2014 left off regarding cyberthreat information-sharing legislation.
President Obama on Jan. 13 unveiled his legislative proposal to promote cybersecurity information sharing between business and government, a proposal Congress has debated for years, but has been unable to enact.
Obama’s proposal, according to a summary released by the White House, would provide stronger privacy protections than did the Cyber Intelligence Sharing and Protection Act, the bill passed in the last Congress by the Republican-controlled House of Representatives and which the administration threatened to veto . Cyberthreat information-sharing legislation never came up for a vote in the then-Democratic-controlled Senate.
A senior administration official, speaking on background, says the White House’s position on CISPA that led to the veto threat has not changed. The administration says its proposal would safeguard Americans’ personal privacy by requiring businesses to comply with certain privacy restrictions, such as removing unnecessary personal information and taking measures to protect any personal information that must be shared, in order to qualify for liability protection. CISPA didn’t do that, and that’s one reason the White House threatened a veto. The White House also said CISPA provided too broad of liability protections for businesses. The new proposal offers targeted liability protection to businesses that share cyberthreat information.
Acting in Good Faith
That liability protection is important to businesses because they don’t want to face lawsuits from disgruntled shareholders and others because the information they share might disclose vulnerabilities in their IT systems. “The president’s proposal to grant targeted liability protections will foster greater industry participation, while helping to progress what has traditionally initiated the barriers to sound and meaningful threat-sharing policy,” says Elizabeth Hyman, executive vice president of public advocacy at the high-tech industry group TechAmerica. “Organizations acting in good faith should be incentivized to partner with the federal government.”
Obama’s proposal also would require the Department of Homeland Security and the attorney general to develop guidelines governing the receipt, retention, use and disclosure of cyberthreat information received from businesses.
In addition, the administration plan would encourage businesses to share appropriate cyberthreat information with the National Cybersecurity and Communications Integration Center, the Homeland Security agency responsible for information sharing and analysis to protect the federal government and critical infrastructure. NCCIC (pronounced n-kick), as the center is known, would then share the information in as close to real time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Centers.
The White House proposal would encourage industries that do not have ISACs to form them. But to be most effective, the respective industries running the ISACs need to make sure they don’t cede too much authority to the federal government, says Chris Blask, who chairs the Industrial Control System ISAC.
Too often, he says, ISACs are more about what the federal government wants rather than what industry needs. “This is not at all bad, but it does not intrinsically speak to the needs and interests of various private-sector demographics,” Blask says.
Reaction to Obama’s plan from business and privacy groups was generally cautious. The Financial Services Roundtable, in a statement, says it applauds Obama for raising “this important discussion on information sharing and looks forward to reviewing the details of the proposal.”
Harley Greiger, senior counsel at the Center for Democracy and Technology, an online advocacy group, is taking a wait-and-see approach on the Obama plan. “The White House proposal relies heavily on privacy guidelines that are currently unwritten,” he says. “What these guidelines say and when they are applied will be critical to protecting Internet users. Privacy protections and use restrictions must be in effect before information sharing occurs.”
In the Capitol, the partisan rhetoric of the 113th Congress reverberated in the new 114th Congress as some lawmakers responded to the president’s plan with a bit of mockery. “While it took an attack on Hollywood for the president to re-engage Congress on cybersecurity, I welcome him to the conversation,” says House Homeland Security Committee Chairman Mike McCaul, R-Texas, referring to the Sony Pictures Entertainment breach.
A more straightforward response came from Rep. David Nunes, the California Republican who’s the new chairman of the House Intelligence Committee.
“I am glad to see President Obama putting forth his ideas to address this critical issue,” he says. “They will receive close consideration as the House Intelligence Committee crafts a cyber-bill.”
The senior administration official sounded more optimistic about prospects for passage of cyberthreat sharing legislation. “Everybody has indicated a willingness to talk and to move things forward and move beyond that straight-up piece of legislation,” the official says. “The administration is serious about working on this issue and has clearly articulated its position going into those discussions with the Hill. And I look forward to some good, productive discussions with the folks up on various committees this spring.”
Prosecuting Botnet Sales
Another legislative initiative proposed by Obama would strengthen law enforcement to combat cybercrime. If enacted, the legislation would:
Allow the prosecution of those who sell botnets;Expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft;Give courts the authority to shut down botnets engaged in distributed denial-of-service attacks and other criminal activity.
“Much like possession of robbery tools is a criminal offense for those who are arrested trying to break and enter into a house, this proposal focuses on the tools – botnets, spyware, etc. – that are used in furtherance of breaches, IP theft and identity theft,” says Christopher Pierson, former president of the Phoenix chapter of InfraGard, an FBI-private sector partnership that shares threat information. “This is a step in the right direction, but, of course, the application depends on the ability to capture and prosecute the persons involved in the crime.”
Obama’s proposal also would apply to cybercriminals the Racketeering Influenced and Corrupt Organizations Act, the statute known as RICO that government lawyers use to prosecute those involved in organized crime. It also would clarify the penalties for computer crimes, and ensures these penalties are in line with other similar non-cybercrimes.
The cybercrime legislative proposal would criminalize the overseas sale of stolen U.S. financial information, such as credit card and bank account numbers. But some security experts question the effectiveness of such a law. “For it to be effective, we need to have cooperation of the law enforcement authorities in the countries where the data is being sold and purchased,” says cybersecurity expert Gene Spafford of Purdue University. “We do not have authority to shut down sites or arrest people in other countries, even if what they are doing is illegal here. We need international cooperation.”