President Obama’s proposals for cybersecurity legislation he unveiled this week that would allow the private sector to share more information on cyber threats with protection from liability, criminalize the sale of stolen financial data, and require companies to notify consumers about data breaches, has been met with mixed reaction.
"With the Sony attack that took place, with the Twitter account that was hacked by Islamist jihadist sympathizers yesterday, it just goes to show much more work we need to do both public and private sector to strengthen our cybersecurity," Obama said, adding he spoken to the Republican leaders of the House and Senate and, "I think we agreed that this is an area where we can work hard together, get some legislation done and make sure that we are much more effective in protecting the American people from these kinds of cyber attacks."
A White House statement said the updated proposal "promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector."
The plan also "would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen US financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity," the statement said.
Specifically, the President’s “proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities,” according to a summary of the proposed legislation.
“The legislation also encourages the formation of these private-sector led Information Sharing and Analysis Organizations,” the summary stated. The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection.”
The proposed legislation would “further requires the Department of Homeland Security [DHS] and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government. Finally, the administration intends this proposal to complement and not to limit existing effective relationships between government and the private sector. These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.”
Late last year, Congress passed S. 2519, the National Cybersecurity Protection Act of 2014 as well as Senate amendment to H.R. 2952, the Cybersecurity Workforce Assessment Act — both bipartisan legislation to strengthen the nation’s cyber defenses.
Legislators said this is the most significant cyber bill to pass Congress in over a decade.
Reaction from the Hill
“I appreciate President Obama coming to Congress with a proposal on cybersecurity information sharing,” said Ron Johnson (R-Wis.), chairman of the Senate Committee on Homeland Security and Governmental Affairs Committee. “Every day malicious cyber-actors steal proprietary, sensitive information from private companies, attack our critical infrastructure, and assault government agencies. Enabling effective information sharing between and among private companies and the federal government with real liability protections can improve our nation’s cybersecurity by providing businesses the tools they need to defend themselves and by providing government with a better assessment of the threats we are facing. The president’s proposal is an important first step in developing that legislation. I look forward to working with the White House and other committees of jurisdiction to make information-sharing a reality.”
Last year, Congress made strides in bolstering our nation’s cyber defenses by passing four bipartisan cybersecurity bills that strengthen our national security and help modernize our nation’s cybersecurity and cyber workforce,” said former committee chairman Tom Carper (D-Del.), but, “More must be done.”
“One of our top priorities in Congress must be to promote cybersecurity information sharing among the private sector and with the federal government to defend against cyber attacks and encourage better coordination,” Carper said. “It is essential that any information-sharing bill strike an appropriate balance between the ability to share necessary data and to protect privacy and civil liberties. Congress must act quickly to bring forth information-sharing legislation in the face of the growing and evolving cyber threat, and the President’s proposal is an important part of that effort.”
“While it took an attack on Hollywood for the President to reengage Congress on cybersecurity, I welcome him to the conversation,” said Rep. Mike McCaul, chairman of the House Committee on Homeland Security. “Confronting the cyber threat has been a priority of mine for the past 10 years. In December, my counterparts in the Senate and I passed five cyber bills, including legislation that authorized the National Cybersecurity and Communications Integration Center. As a civilian interface, with robust privacy protections, the NCCIC is set up to protect Americans’ privacy and civil liberties while providing a safe harbor for private entities to share cyber threat information. My committee is currently working on cybersecurity legislation to remove any unnecessary legal barriers for the private sector to share cyber threat information.”
Experts weigh in
“The President’s proposal engages with the last of these problems – we need toshare information, because no one defender can see what is going on, or which techniques are being used to attack other organizations, etc. This is a good step, but is not enough,” said Dr. Mike Lloyd, CTO at RedSeal, a security analytics company. “If organizations hope to benefit from timely intelligence information, they will need to understand their own defensive posture and readiness. Knowing that, say, a Heartbleed style of attack is being used on your neighbors doesn’t help much if you can’t immediately answer whether you have the same vulnerability. Organizations need to take a holistic approach, combining external warnings with internal knowledge of their defenses and weak points.”
Lloyd said, “Fighting a cyber war – even a defensive one – requires the same three disciplines as a regular battle: you have to understand the terrain you’re fighting on, your own forces and the movements of the enemy.”
“National standards for breach reporting are long overdue,” said Lance Cottrell, chief scientist at Ntrepid. “Right now your right to know if your information has been stolen depends on your state of residence, which is absurd. Broader and uniform reporting requirements keeps businesses accountable for their security, and allows everyone to know when they need to take special precautions to protect themselves, their data and their accounts.”
Continuing, Cottrell said, “The modernizing of CFAA is incredibly important. At the moment there is ambiguity about whether violating the terms of service on Facebook, by using a nickname, could be treated as a felony computer crime because it constitutes unauthorized access. I hope that the associated penalties will also be rationalized when all the details are worked out.”
“The recent privacy legislation announced by Obama is a good step towards enabling companies to better share information on security threats and ensure that consumers receive consistent privacy notification. However, like any legislation, this won’t change how companies act unless there are real consequences and penalties,” commented Eric Chiu, president and co-founder of HyTrust, a cloud control company.
“Also,” Chiu said, “with breaches happening more frequently and the damage getting bigger — especially when the primary threat is coming from the inside — this legislation will do little to slow down or stop the real threat. Ultimately, companies need to stop viewing security as an insurance plan; instead, they need to think of security as a part of doing business. Until that happens, we will continue to see these breaches take place.”
Adam Kujawa, head of Malware Intelligence at Malwarebytes, said, “The most important aspects of this proposal are the enforcement ofadditional security practices, now a federal regulation, and the requirements for data breach sharing with customers. The regulations on information sharing between the government and private sector has been talked about in depth for a while now and it’s good to see that the government is going to step up and make this kind of thing happen. Information sharing, when done incorrectly, can be disastrous because leaked information about breaches, security holes and the like can be obtained by cyber criminals to use against organizations that might not be in the loop of government and private vulnerability sharing. However, when it IS done correctly, and we all hope it is, then it’s a powerful tool to quickly fix security problems and contain an attack to only a single organization or less.”
“Requirements for the handling and protection of personal data is, in my mind, the most important piece of this proposal because it ensures that all organizations must comply with a single regulation rather than having to check numerous regulations, which might contradict or leave open holes,” Kujawa said. “At the same time, I have mentioned in the past that a requirement like this, while a good idea, could also be dangerous if not used properly.”
“For example,” Kujawa explained, “if a serious hole has been discovered on the network of 50+ large organizations, it would do well to update the regulations quickly to get the information out about this hole and make sure organizations are secure. However, we all know how slow the government moves and a modification like that might not get deployed until it’s too late. At the same time, organizations that only follow the federal regulation for data security might be doing their users a disservice since they would assume that they are completely protected by all threats by following federal security regulations when in reality, threats always exist. And without the prudent mindset of keeping an eye out for threats at all times, organizations leave themselves open for attack by methods not covered by the regulations.”
“Finally, the requirements for breach sharing is very important since at the end of the day, a multi-million dollar company might have to spend some serious cash to fix a hole after a breach but the average joe who only makes 50k a year can’t afford to have their information stolen and used against them for however long until they realize they have been compromised,” Kujawa emphasized, noting that, “The requirement of 30 days to release breach information to customers is good and even still could be better if it was sooner, but I understand the government trying to work with businesses who need to patch the security holes and form a PR strategy, for fear that they could go completely under from a breach without proper planning.”
“Stricter laws and greater power for law enforcement will help to battle cybercrime occurring here in the United States, although such things need to be hashed out deeply to protect people who are interested in security research and work in the security field from legal action while doing their jobs,” Kujawa said. “Also, it doesn’t do much for the attacks that come from other countries like Russia. Making data theft, DDOS and organized cybercrime even more illegal than it was before is great, however law enforcement will still need to work with the law organizations of other countries when going after criminals — and depending on the laws of said country, it may be a major roadblock in getting justice.”
Lastly, he said, “The arguments against this proposal will no doubt be what it means to the small business owner: Will the security requirements be too expensive or difficult for a small business to comply with and would that be fair to them? At the end of the day it’s not about the business, it’s about the people. If a business can’t afford to apply decent security on their networks that store private customer information, they should consider using a pen and paper.”
“One important aspect is about adopting stronger breach notification laws across the country as currently there are big discrepancies from state to state. Indeed, for the most part we have learned about security incidents from security bloggers and many people are still skeptical about businesses being upfront on this sensitive topic,” said Jerome Segura, senior security researcher at Malwarebytes.
“Privacy was mentioned in the speech as well with more protection for students and from automated data collection by certain Internet of Things such as energy meters. But it will take more than that to restore confidence in this post-Snowden era,” Segura said. “Certainly, the upcoming update to the Consumer Privacy Bill of Rights will be a good thing for consumers overall, provided of course that all parties on board fully commit to it.”
Steve Hultquist, chief evangelist at RedSeal, said, “The President’s focus on making sure that breaches are publicized creates additional pressure for all organizations to do whatever is possible to avoid breaches rather than simply respond to them. To avoid being breached, organizations have to be able to see and comprehend their extensive and complex network-interconnected systems and to know all possible attack vectors before they are exploited. The most visionary organizations understand that this analysis is actually possible, and deploy systems to continuously monitor their network and systems to safeguard their customers’ information and their critical assets.”
HITRUST said in a statement that it “applauds the White House’s proposal to encourage increased cyber threat information sharing between the private sector and government. Since 2007, HITRUST has endeavored to elevate the level of information protection by ensuring greater collaboration between industry and government, and raising the competency level of information security professionals across the healthcare industry. We have tremendous experience as a federally recognized Information Sharing and Analysis Organization (ISAO) and have many valuable lessons to share.”
“In the past,” HITRUST said, “there has been some confusion on who in the private sector companies can turn to in order to work with their government partners. With this step today, the White House has provided clarity that ISAOs are a key link that will continue to provide value to strengthen our government, our economy, and our nation as a whole given the growing cyber threats the nation faces. We look forward to working with the White House, Congress and the Department of Homeland Security as they continue to foster the formation of private-sector led information sharing as well as existing information sharing relationships between government and the private sector."
"Collaboration between industry and government to share threat information is crucial in the fight against sophisticated and persistent cyber criminals,” said Nicholas Ahrens, vice president for cybersecurity and data privacy at the Retail Industry Leaders Association. “Retailers have made great strides setting up the Retail Cyber Intelligence Sharing Center (R-CISC) and facilitating threat information sharing, both within the industry and also with the government. We look forward to continuing to coordinate with the NCCIC in the fight to protect customers from cyber criminals.”
R-CISC is the cyber security resource for the retail industry.
“We continue to work with the private sector to create shared situational awareness of potential cybersecurity vulnerabilities,” said Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications at DHS’s National Protection and Programs Directorate.
Schneck said The Retail Cyber Intelligence Sharing Center has “further” enhanced DHS’s collaboration with this important sector of the American economy and will provide information and resources that can help companies keep their networks and the consumer information stored on them safe and secure.”
Financial Services Roundtable (FSR) President and CEO Tim Pawlenty said, “It is critical companies have the tools they need to battle cybercriminals and shield customers from breaches. Strong information sharing laws will be a critical part of that winning that battle. Cybercriminals, hactivists and terrorists aren’t resting and neither should Congress.”
