With his mention of the issue in the State of the Union address and a broad-reaching set of legislative proposals, President Barack Obama has brought cybersecurity efforts in the US and beyond center stage. However, the right balance appears yet to have been struck in terms of protecting consumers and businesses while fighting cybercrime.
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” said Obama during his State of the Union speech.
“We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
He also highlighted his efforts to increase online safety and access around the nation, saying, “I intend to protect a free and open internet, extend its reach to every classroom, and every community, and help folks build the fastest networks, so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world.”
In the president’s view, the Internet belongs to all. The data it produces, on the other hand, creates an interesting ownership question for many. The concept of sharing threat data with liability protection for corporations that provide information to crime fighters might seem like a perfect solution, but privacy advocates have raised alarms on whether the data can really be scrubbed of personally identifiable information.
“The president’s consumer privacy proposals – a federal data breach notification law and expanded protections for student information – are steps in the right direction, though the notification law must not be allowed to override more protective state laws. And the information sharing proposal, though better than alternative suggestions out there, fails to include clear privacy guidelines to keep sensitive personal information from flowing to the NSA and other intelligence agencies,” the American Civil Liberties Union (ACLU) commented in a blog post on Obama’s proposals.
“Before we give the government more power to collect our private information, we must deal with the suspicionless surveillance revealed by Edward Snowden,” the ACLU continued. “We also ought to focus on common sense security measures, including educating users on cyber-hygiene and encouraging companies to adopt basic security best practices, like two-factor authentication and encryption, to prevent hacks. This would be more effective, and less invasive, than expanding surveillance authorities or creating exemptions to existing privacy law.”
There is also the issue of whether information sharing can keep up with hackers. According to Vincent Vitkowsky, partner with Seiger Gfeller Laurie LLP, the point would be to allow private companies to share with each other and the government specific digital threat information.
“It would be helpful, but it won’t stop most of the most dangerous threats,” Vitkowsky told Advisen. “To be effective, sharing has to be done quickly, almost in real time — soon enough so that a hacker using the same methodology for multiple attacks can be stopped. But doing it that quickly is difficult technically and practically. Many of the most of the dangerous attacks are effected by what are referred to as ‘zero-day exploits,’ which are cyberattacks through methods that haves not been used before, so there is no information to share about them. Still, there is some value to sharing the fact that a cyberattack occurred retrospectively, in terms of building a data base to help model risks.”
Congress has already considered several measures that would allow for more free-flowing information sharing that have drawn widespread ire from consumers and advocates.
The Electronic Frontier Foundation questioned whether the bills hide a more sinister option for businesses and the government. “These bills purport to allow companies and the federal government to ‘share’ threat information for a ‘cybersecurity’ purpose—to protect and defend against attacks against computer systems and networks. But the bills are written broadly enough to permit your communications services providers to identify, obtain, and share your emails and text messages with the government. While business leaders have conceded that they do not need to share personally identifying information to combat computer threats, the bill provides an exception to existing law designed to protect your personal information.”
For the White House, information sharing is a means to an end. “While not a panacea, increased information sharing is a key element in improving our cybersecurity. The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector,” stated the president in an explanation of the proposals. “The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions — such as removing unnecessary personal information and taking appropriate measures to protect any personal information that must be shared — in order to qualify for liability protection.”
The White House also proposed a formal federal data breach notification law for the purpose of “simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain data breach reporting requirements into one federal statute, and it puts in place a single, clear requirement to ensure that companies notify their employees and customers about security breaches on a timely basis.”
The insurance industry and the legal profession may have a closer eye on the liability protections promised by some of the president’s proposal.
“On the information sharing proposals, there is some ambiguity about the scope of the liability protections afforded. This could be an impediment to voluntary information sharing by private companies,” said Vitkowsky. “The Computer Fraud and Abuse Act is already very broad, and has been criticized for being too broad. Some have argued that sharing your Netflix password could constitute a violation. But merely toughening the penalties or enhancing prosecution authority is not likely to have a great deterrent effect on professional cybercriminals.”