President Barack Obama made good on his promise to treat the crippling hack of Sony Pictures as an issue of national security, as the administration rolled out a new legislative plan Tuesday to combat future attacks and their subsequent economic effects.
“Cyber-threats are an urgent and growing danger,” the President Obama said as he visited the National Cybersecurity and Communications Integration Center, located inside Washington’s Department of Homeland Security building.
“This is a growing public safety and public health concern,” he added, according to the pool report.
In December, Mr. Obama spoke at length about the issue, saying “in this interconnected, digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector. Now, our first order of business is making sure that we do everything to harden sites and prevent those kinds of attacks from taking place.”
“This is part of the reason why it’s going to be so important for Congress to work with us and get an actual bill passed that allows for the kind of information-sharing we need. Because if we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy in ways that are extraordinarily significant.”
The proposed legislative action calls for bipartisan support, as well as collaboration between the private sector and law enforcement.
On February 13, the White House will host a summit on Cybersecurity and Consumer Protection. Additionally, the proposal calls for grants to expand cybersecurity education programs at the nation’s historically black colleges (as part of an initiative Obama launched in 2010). Top-line priorities from the White House include:
Enabling Cybersecurity Information Sharing: The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector. Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities.
The legislation also encourages the formation of these private-sector led Information Sharing and Analysis Organizations. The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection. The proposal further requires the Department of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government. Finally, the Administration intends this proposal to complement and not to limit existing effective relationships between government and the private sector. These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.
Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime. The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. It also reaffirms important components of 2011 proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key piece of law used to prosecute organized crime, so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
National Data Breach Reporting: As announced yesterday, the Administration has also updated its proposal on security breach reporting. State laws have helped consumers protect themselves against identity theft while also encouraging business to improve cybersecurity, helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if consumers’ personal information has been compromised. The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and puts in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.