WASHINGTON — President Barack Obama is proposing cybersecurity legislation that increases government information-sharing and protects businesses from lawsuits for revealing cyberthreats. But an Associated Press review shows that some of his plans are retreads from years past.
Privacy advocates criticized other elements, especially involving data-sharing between companies and the government, in light of an ongoing debate about the scope of U.S. government surveillance and bulk data collection.
The president’s proposals are similar to congressional legislation that has been languishing on Capitol Hill, in part over privacy concerns. The White House is hoping that a recent spate of cyberattacks and data breaches — including November’s hacking at Sony Pictures Entertainment, which the administration blamed on North Korea — will spur lawmakers to take up the issue.
Obama planned to discuss his proposal later Tuesday in a speech at the National Cybersecurity and Communications Integration Center in Arlington, Virginia. They’re also expected to be part of his Jan. 20 State of the Union address.
A key part of the proposals, which have received support from some key Republicans in Congress, would enable cybersecurity information-sharing between U.S. agencies and the private sector. But that’s already been taking place — with uneven results — for more than 16 years between the government and private companies.
President Bill Clinton established the earliest Information Sharing and Analysis Centers in May 1998. These were intended to collect, analyze and distribute warnings about cyberthreats within eight of the most important U.S. industries, including banking, transportation, communications and energy.
In 2003, President George W. Bush moved responsibility for the warning centers from the FBI’s now-defunct National Infrastructure Protection Center to the Homeland Security Department. The warning centers have since been expanded to cover 16 critical industries, and others — such as one covering retail stores — have launched separately.
Some of the warning centers, such as the ones protecting banks and computer companies, are highly regarded. But others have been marked by uneven cooperation among members and confusion about roles during a cyberattack.
The government’s own $6.4 million Cyber Storm II exercise in March 2008, which simulated a large-scale cyberattack, revealed some confusion about alerts and fouled communications lines, such as when the Homeland Security Department shut off an encrypted message system over security concerns.
Obama’s plan would encourage the private sector to share cyberthreat information with the Homeland Security Department, according to a White House fact sheet. Companies would qualify for targeted liability protection but would have to comply with certain privacy restrictions.
Some congressional leaders had been looking for more cooperation between U.S. businesses and the civilian outfit at DHS — as opposed to the military’s National Security Agency — that shares information about cyberattacks between the private sector and the government.
“This is the Wild West, without any rules to the game,” said Rep. Michael McCaul, R-Texas, who chairs the House Homeland Security Committee. “It’s a new frontier with regard to terrorism and warfare.”
The White House said this week that the proposals also would modernize U.S. laws to combat cybercrime, such as allowing for the prosecution of the sale of botnets, large numbers of hacked computers that can be directed remotely to attack targets and outlaw the sale of stolen credit card or bank account numbers.
But experts said such crimes already are covered under other existing laws, such as conspiracy to commit computer crimes.
“I don’t think there are prosecutions going down the tubes because of the lack of legislation on this,” said Mark Rasch, a former cybercrimes federal prosecutor.
Even with public-private information-sharing, such a program “isn’t a silver bullet,” said Mark Jaycox, a legislative analyst with the San Francisco-based Electronic Frontier Foundation, a civil liberties group. “We need to tackle the low-hanging fruit, the basic security precautions,” he said, such as regularly updating computer servers and requiring robust passwords, which could have played roles in recent high-profile breaches.
The group said Obama’s proposal “recycles old ideas that should remain where they’ve been since May 2011: on the shelf.” While it said the government should have appropriate tools to investigate cybercrime, recent domestic surveillance revelations show law enforcement “certainly doesn’t need more legal authorities to conduct digital surveillance.”
Disclosures by former NSA analyst Edward Snowden in 2013 showed the government was collecting phone records and digital communications of millions not suspected of a crime, prompting changes.
On Tuesday, U.S. officials testified before a House Foreign Affairs panel about the threat posed by North Korea, including the Sony attack. Gregory Touhill, a senior DHS official for cybersecurity operations and programs, told members that hackers exploited Sony using a “sophisticated worm” — a piece of malicious software — and tried to compromise the company’s computer systems when turned on.
The White House push comes after the Twitter and YouTube accounts for U.S. Central Command were taken over by hackers who claimed to be working on behalf of Islamic State militants on Monday. Other recent hackings at retailers including Target, Home Depot and Neiman Marcus have exposed the lack of uniform practices for alerting customers in the event of a breach.
Sen. John McCain, a member of the Homeland Security and Governmental Affairs committee, said Tuesday he was “glad the administration is coming forward with a proposal” and “guardedly optimistic we can come up with legislation that we can work with the administration on.”
JACK GILLUM, Associated Press
Associated Press writer Eric Tucker contributed to this report.