Last night, President Obama gave his annual State of the Union address in which Internet and cyber issues got their own paragraphs. On the Internet, the president said:
I intend to protect a free and open Internet, extend its reach to every classroom, and every community, and help folks build the fastest networks, so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world.
On cybersecurity, he said:
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.
President Obama’s remarks referred to policy proposals he announced last week, in which he proposed a plan to incentivize the delivery of high speed Internet and called on Congress to pass legislation to facilitate cybersecurity information sharing, protect consumer data, and increase the penalties in the Computer Fraud and Abuse Act (CFAA).
The cybersecurity information sharing proposal is interesting. According to the text the president has sent Congress, the legislation aims to facilitate information sharing by:
1. explicitly authorizing a private entity to share cyber threat indicators with the Department of Homeland Security’s National Cybersecurity and Communications Integration Centre (NCCIC), any federal entity (including law enforcement), and private sector-led information sharing and analysis organizations (ISAO);
2. launching a process to determine the best practices for the creation and operation of ISAOs, organizations the White House hopes can act as a clearing houses to pass cyber threat information between private sector entities; and
3. allowing NCCIC to share cyber threat information it has received from private entities to other federal entities, such as the National Security Agency or the FBI.
As opposed to requiring companies to report indicators, the proposed law hopes to incentivize companies to share information by shielding them from liability and regulatory action. The draft law would also require the attorney general, in cooperation with a slew of federal entities, to develop privacy guidelines for the use, retention, and disclosure of the indicators the private sector provides.
There are a couple of things that stand out from the proposal. First, the draft focuses heavily on the private sector sharing information with the government but remains largely silent on the government sharing information with the private sector. Information sharing is not a one-way street: the private sector needs information from the government if it hopes to better protect itself against advanced persistent threats. The U.S. government already provides programs that facilitate this, like DHS’ enhanced cybersecurity services or US-CERT’s product offerings, but it will all too often take and rarely give back. While legislation provides some legal protections to incentivize sharing, the private sector will only share if they get something in return. That’s not so much as a legal issue as it is a policy and operational one.
Second, though the privacy community has embraced some aspects of the White House plan, especially compared to the Cyber Intelligence Sharing and Protection Act (CISPA), concerns remain. As Paul Rosenzweig has already noted, many of the privacy provisions rest on the "reasonableness" of stripping personally identifiable information reports of cyber threat indicators. That is likely to cause a battle between the intelligence community, which needs to know as much as possible, and the privacy advocates, which only want to share what is absolutely necessary. Furthermore, relatively little is said about the privacy controls that the ISAOs should have when handling cyber threat indicators. This stands in contrast to the controls that the legislation proposes for government, such as destruction schedules, protecting proprietary information, and creating anonymizing processes. The discrepancy makes me wonder whether ISAOs could abide by a lower privacy standard than the government to handle the exact same information.
With regards to the amendments to the CFAA, Orin Kerr provides a legal analysis of the proposal in the Washington Post. I see two primary policy considerations. First, the amendments could make it harder for computer security researchers to do their job. As I’ve said before, some amendments such as using information derived from a computer security breach would carry stiff penalties, potentially making it difficult for researchers and security companies to analyze incidents. Second, it’s hard to see what increasing the penalty for unauthorized access to a computer will achieve. Will a potential hacker not deterred by the prospect of ten years in prison be deterred by twenty? Increasing criminal penalties certainly will do nothing to stop hackers in China, Russia, or North Korea.
Could this finally be the year when the Congress passes cyber legislation? I think yes. Public awareness of the threat is at an all-time high. The Sony attack has created pressure for Congress to act (though it is not clear that any of the legislation would have prevented the North Korean hackers from breaching the company). Moreover, there is bipartisan support for cybersecurity legislation. The New York Times this morning contrasts the bold vision President Obama delivered in the State of the Union with the political reality that he lost control of both houses of Congress: "The question raised by the speech was whether advancing initiatives with little or no hope of passage constituted an act of bold leadership or a feckless waste of time." Yet, while disparaging most of the President’s agenda, prominent Republicans like Senator Lamar Alexander of Tennessee have pointed to cybersecurity as an area where "we can get some agreement." As in the past, privacy concerns will make or break the legislation, but we should expect to see real signs of progress.