The White House early on Tuesday unveiled a proposal for cybersecurity legislation in the wake of the Sony hack. President Obama has been commenting on the hacking incident and reviewing responses, treating it as a “national security issue,” the White House has said.
In a statement issued in the early morning hours, the White House said: “At a time when public and private networks are facing an unprecedented threat from rogue hackers as well as organized crime and even state actors, the President is unveiling the next steps in his plan to defend the nationâ€™s systems. These include a new legislative proposal, building on important work in Congress, to solve the challenges of information sharing that can cripple response to a cyberattack.”
It added: “They also include revisions to those provisions of our 2011 legislative proposal on which Congress has yet to take action, and along with them, the President is extending an invitation to work in a bipartisan, bicameral manner to advance this urgent priority for the American people.”
Here is a look at the key parts of the legislative proposal:
Enabling Cybersecurity Information Sharing: “The administrationâ€™s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector,” the White House said. Specifically, it encourages the private sector “to share appropriate cyber threat information with the Department of Homeland Securityâ€™s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations by providing targeted liability protection for companies that share information with these entities.”
The proposed legislation would also encourage the formation of such private-sector led Information Sharing and Analysis Organizations. But the White House emphasized that the proposal “would also safeguard Americansâ€™ personal privacy by requiring private entities to comply with certain privacy restrictions, such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection.” The proposal would require the Department of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the government.
Modernizing Law Enforcement Authorities to Combat Cyber Crime: “Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime,” the White House said. “The administrationâ€™s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.”
It also reaffirms some older proposals to update the Racketeering Influenced and Corrupt Organizations Act, which is used to prosecute organized crime, to make it apply to cybercrimes, clarify the penalties for computer crimes and makes sure they are “in line with other similar non-cyber crimes.”
National Data Breach Reporting: “State laws have helped consumers protect themselves against identity theft while also encouraging business to improve cybersecurity, helping to stem the tide of identity theft,” the White House said. “These laws require businesses that have suffered an intrusion to notify consumers if consumersâ€™ personal information has been compromised. The administrationâ€™s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and puts in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.”
The White House on Tuesday also announced a “Summit on Cybersecurity and Consumer Protection” that will take place on Feb. 13 at Stanford University. It said it would “help shape public and private sector efforts to protect American consumers and companies from growing threats to consumers and commercial networks.”
Added the administration: “The summit will bring together major stakeholders on cybersecurity and consumer financial protection issues, including senior leaders from the White House and across the federal government, CEOs from a wide range of industries, including the financial services industry, technology and communications companies, computer security companies and the retail industry, as well as law enforcement officials, consumer advocates, technical experts, and students.”
Topics at the summit will include increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies.
MPAA CEO Chris Dodd weighed in on the news later Tuesday, noting that Obama’s proposals are designed to protect U.S. consumers and businesses from the sort of crippling cyberattack Sony experienced.
“In a world where essentially every single consumer â€” and their personal data â€” is connected online, this conversation could not be more critical,” Dodd said in a statement, acknowledging the Internet as a source of “creativity and innovation.” “But, as recent events have once again made clear, criminal enterprises are also using the Internet to steal trade secrets and content and invade personal privacy. Businesses of all sizes are vulnerable to this kind of theft, which can leave their proprietary, competitive secrets and even their digital products exposed and available online for anyone to loot. Consumers risk seeing their financial data or even their personal pictures and correspondence spread all over the Internet â€” with very little accountability for those who post stolen information. Government and the private sector are faced with the monumental task of defending against these criminal activities.”
Dodd argued that law enforcement agencies should be “given the resources they need to police these criminal activities.”
“And responsible participants in the Internet ecosystem â€” content creators, search, payment processors, ad networks, ISPs â€” need to work more closely together to forge initiatives to stop the unlawful spread of illegally-obtained content,” he added. “I applaud both the President for proposing steps to address these cyberthreats, as well as leaders in Congress who have taken on these tremendously important issues. I hope that Congress will keep its focus on strengthening and securing the Internet for everyone.”