Cybersecurity Bill Faces Tough Sledding on Capitol Hill
President Barack Obama’s bid to get Congress to pass stalled cybersecurity legislation is seen as having an uphill fight amid differences between Republicans and the administration over privacy safeguards and other issues.
Obama announced Tuesday revised legislation that would give companies legal protections for sharing information with each other and the government about hacking threats. Obama said it’s needed to help prevent attacks like the November hack that crippled thousands of computers at Sony Pictures Entertainment.
While there is broad agreement companies should get legal protections for sharing threat data, Congress has failed to reach a deal on a bill in the past four years. It isn’t clear recent cyber attacks will spur lawmakers to embrace Obama’s proposal, which his aides sent to the Congress today.
“The legislative proposal the White House put out is really just to mark out a negotiating position with the Republican-controlled Congress,” Denise Zheng, a senior fellow at the Center for Strategic and International Studies in Washington, said in a phone interview. “It’s part of a strategy to engage them on some these trickier issues like liability protection and role of government.”
Obama, a Democrat, has singled out cybersecurity as an area for bipartisan agreement with a Congress controlled by Republicans.
“The problem is government and the private sector are not always working as closely together as they should,” Obama said in remarks at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center in Arlington, Virginia. “Sometimes companies are reluctant to reveal their vulnerabilities.”
Only a few hours earlier, Obama met with congressional leaders at the White House, where tensions emerged over unrelated legislation.
Obama’s cybersecurity proposal seeks to narrow what kind of data companies can share with the government and how it can be used in order to address privacy concerns, an administration official told reporters today. The person spoke on condition of anonymity before the announcement.
Companies must take reasonable steps to remove personally identifying information and can only share technical indicators about hacking attacks, such as Internet Protocol addresses, routing data and time stamps, the official said.
The requirements to remove personal information are vague and could be confusing for companies, said Stewart Baker, a former assistant secretary for policy at the DHS and now a partner at the law firm Steptoe & Johnson LLP in Washington. Companies also should be encouraged to share more than technical data, such as the content of malicious e-mails, he said.
“This part of the proposal looks more like point-scoring than bipartisanship,” Baker said in an e-mail. “If companies have to hire lawyers before they can share such information, it’s a tax on information sharing.”
In order to receive legal protections, the data must be shared with the DHS cyber center.
The administration wants to have information go directly to the DHS center rather than the National Security Agency. The move is intended to address privacy objections to the NSA obtaining unfettered data about activity on private networks in the U.S. Once the DHS gets the data, it can share it with other agencies, including the NSA.
Many Republicans, however, think the NSA is better suited and more capable than DHS of taking the lead. Differences between lawmakers over which agency should be the primary portal for information sharing “is going to continue to be a major sticking point,” said Zheng, who is deputy director for the strategic technologies program at CSIS and previously worked as a Senate aide.
The DHS may also pass the data to law enforcement agencies, the official said. Law enforcement could only use the data for certain purposes, such as investigating cybercrimes, threats to minors or crimes aimed at harming people.
Trade groups representing Internet, software and technology companies were generally supportive of Obama’s proposal, although cautioned they need more details.
“It is critical companies have the tools they need to battle cybercriminals and shield customers from breaches,” Tim Pawlenty, president and chief executive officer of the Financial Services Roundtable, a top banking lobby in Washington, said in an e-mail. “Strong information sharing laws will be a critical part of that winning that battle.”
Mark MacCarthy, vice president of public policy for the Software and Information Industry Association, said “information sharing on known cyber threats and vulnerabilities is the most critical component of preventing and mitigating attacks.”
The Obama administration is laying out several cybersecurity priorities this week ahead of the president’s Jan. 20 State of the Union speech.
Obama also asked Congress to enable law enforcement to better investigate, disrupt and prosecute cybercrime. The proposal calls for criminalizing the sale of botnets and stolen U.S. financial data such as credit card and bank account numbers. It would also authorize courts to shutter botnets involved in distributed denial of service attacks and other criminal activities.
The president called for updating the Racketeer Influenced and Corrupt Organizations Act to apply to cybercrime, setting penalties in line with other crimes. Obama also suggested Congress modernize the Computer Fraud and Abuse Act so that it can be used to prosecute insiders who misuse their access to information.
The White House also plans to host a cybersecurity summit at Stanford University on Feb. 13.
Yesterday, Obama renewed calls for Congress to pass stalled legislation that would require companies that have consumer data hacked to notify customers who are at risk. Companies would have 30 days from learning of a breach to tell customers, according to the White House.
As Obama was speaking about the other elements of his cybersecurity plans Tuesday, hackers took over the Twitter and YouTube accounts of the U.S. Central Command, which oversees American military operations in the Middle East and North Africa. The White House said it’s looking into who’s behind the attack while also downplaying its severity.
The House of Representatives passed a version of the information-sharing legislation in April 2013, however the Senate never took it up.
The White House had threatened to veto the House bill because it didn’t have enough safeguards to ensure the personal information of Americans isn’t inappropriately monitored.
Representative C.A. “Dutch” Ruppersberger, a Maryland Democrat who serves on the House intelligence committee, reintroduced the bill on Jan. 8 for the new Congress to consider.
Obama traveled to the DHS facility Tuesday while being at odds with Congress over funding for the department, which is also responsible for immigration enforcement.
Some Republicans are upset about Obama’s executive action on immigration last year to allow about 5 million more undocumented immigrants to stay in the U.S. Lawmakers reached a compromise late last year to allow the DHS to be funded temporarily.
White House Press Secretary Josh Earnest told reporters yesterday that the president would veto a DHS spending bill that restricts Obama’s immigration changes.
–With assistance from Mike Dorning in Washington.