POLITICO Pro Information sharing at top of Obama cyber agenda

A new legislative proposal unveiled by President Barack Obama on Tuesday would reshape federal cybersecurity information-sharing with the private sector, broadening DHS’ outreach beyond the sectors of critical infrastructure like banks and power companies on which it has traditionally focused.

A central portion of the White House’s plan would grant targeted liability protection to companies that share cyber threat information with the government — removing what critics say is a major stumbling block to private sector partnership with federal authorities on cyber issues.


“Neither government nor the private sector can defend the nation alone. It’s going to have to be a shared mission — government and industry working hand in hand,” the president said during an afternoon visit to DHS’s Arlington, Va.-based 24-hour cyber watch center, the National Cybersecurity and Communications Integration Center.

The proposal would grant liability protection for companies sharing with each other through “information-sharing and analysis organizations.” But it would also contain what officials said were robust privacy protections.

“What we’re trying to do with this proposal is really increase the information flow about the threat indicators, so we can really develop that picture of what is happening to us, the collective us, the United States, in cyberspace,” a senior administration official said.

Under the administration proposal, the DHS center would share cyber threat data it receives in close to real time with other federal agencies, and with private-sector information-sharing organizations. Those organizations would comply with privacy safeguards, the administration says.

Information-sharing would consist of technical data, such as Internet protocol addresses, time stamps and routing information, with as much personally identifiable information as possible removed. “It’s primarily not going to be content, or other kinds of information like that, most of the time,” the official said.

The liability protection would be limited to “the act of sharing these cyber threat indicators,” he added.

“We see this as very targeted, narrow liability protection,” the official said, adding that past attempts at liability protection for cyber threat information-sharing floundered from a lack of focus, as well as because of opposition from privacy advocates. “We really didn’t have this concept of the DHS portal, and how you would target the liability protection.”

Similar proposals have stalled out in prior Congresses, but the administration believes the stars could be aligned this time, because of growing public concern about online security in the wake of a series of major cyberattacks on U.S. companies.

“Foreign governments, criminals and hackers probe America’s computer networks every single day,” said the president. “We saw that again in the attack on Sony.” He said the Sony hack would be “very costly” to clear up.

Earlier in the day, Obama met with House Speaker John Boehner and Senate Majority Leader Mitch McConnell about cyber legislation, saying “that this is an area where we can work hard together.” Congress passed a handful of cybersecurity bills at the last minute last year, setting up momentum the administration hopes to capitalize on.

“Recent events certainly underscore the need, again, to tackle cybersecurity,” said McConnell after the meeting. “It’s been very complicated with a lot of jurisdictional crosscurrents in the Senate; we’re going to make another run at breaking through that problem and getting something the president can sign,” he added, referring to the deadlock over congressional turf that helped doom a passel of cyber bills in the last Congress.

Getting the administration’s cybersecurity agenda into law has been a matter of a series of discrete victories rather than a single major bill, particularly after the Senate in 2012 didn’t act on comprehensive legislation favored by Obama that was sponsored by Sens. Joe Lieberman (D-Conn.) and Susan Collins (R-Maine).

“I do see a window of opportunity here,” the administration official said.

The proposal’s use of the term “information-sharing and analysis organization” isn’t accidental. For more than a decade the government has promoted “information-sharing and analysis centers” in different business sectors, to facilitate the flow of government information to private companies, especially those that own and operate critical infrastructure.

An ISAO is a broader entity than an ISAC, which almost universally are organized around industrial sectors, such as financial services, aviation or retail. Entities in the private sector could organize ISAOs along regional lines, business size or based on common interests.

“We’re really trying to allow for a multiplicity of ways the private sector would want to organize itself, and not just restrict itself to the sector-based [ISACs],” the official said.

Privacy implications have in the past contributed to the failure of information-sharing legislation, and the senior official was at pains to stress the accommodations the administration has made to satisfy privacy advocates.

The official said the requirement that companies take reasonable steps to remove personally identifiable information unrelated to cyber threats, plus guidance on the receipt, retention, use and disclosure of that data by the federal government that would be developed by DHS and the attorney general, amount to “two very strong privacy requirements,” he said.

The bill is better in several respects than the Cyber Intelligence Sharing and Protection Act passed by the House last Congress, allowed Harley Geiger, senior counsel at the Center for Democracy & Technology, who said he reviewed a copy of the bill.

The requirement to strip out personally identifiable information “is a crucial safeguard,” he said.

Nonetheless, the proposal’s reliance on guidance that hasn’t yet been developed makes it impossible to gauge how effective privacy protections will be, he added.

The proposal allows for secondary use of cyber threat data by law enforcement, in cases of computer crime, threat of death or serious bodily harm, or a serious threat to a minor (or an attempt or conspiracy to commit those offenses).

“There is no ‘imminence’ requirement there,” Geiger said, meaning the scope for widespread data collection exists. The term “computer crime” is also an undefined one in the proposal, Geiger said.

Data shared with the government could also potentially be indefinitely stored, Geiger added, since the section of the bill on data retention calls for data to be destroyed once it’s been determined to be unrelated for authorized uses.

It would be better for privacy if the government were to be under a deadline to prove that the data are relevant, else otherwise automatically loose it, he said.

Geiger and others also have criticisms about the law enforcement reform portions of Obama’s legislative packages. “Law enforcement certainly doesn’t need more legal authorities to conduct digital surveillance or prosecute criminals,” wrote the Electronic Frontier Foundation in a blog post.

Rolling back the ease with which computer users can be prosecuted under the Computer Fraud and Abuse Act is a long-standing watchdog goal, and the proposal takes steps in that direction. But although bill would curtail prosecutions premised on the theory that a violation of an Internet service’s terms of service are a prosecutable offense, it wouldn’t end them.

Specifically, it would still allow prosecutions based on the act of exceeding “authorized access to a computer” when the computer in question is government-owned, or the information stolen is worth $5,000 and in furtherance of a felony, Geiger said. Crafting a felony charge under the CFAA isn’t difficult, Geiger said.

The proposal’s addition of CFAA offenses to the Racketeering Influenced and Corrupt Organizations Act has also raised eyebrows. Unlike organized criminal cabals, online communities are loose and ill-defined. The barriers to entry are considerably less, so combining the CFAA with RICO “could lead to a broad extension of government power to prosecute individuals for computer usage,” Geiger warned.

Obama, during his tour of the NCCIC, said his proposals are intended to have cybercriminals “feel the full force of American justice.”