In the wake of several high-profile hacks on private U.S. companies, including the now infamous attack on Sony Pictures Entertainment, the White House on Tuesday unveiled a broad set of legislative proposals aimed at combating the growing threat that cyberattacks pose to U.S. industry. One of the plan’s chief, and most controversial, elements is a law that would extend liability protection to companies that share information about cyberattacks on their systems with government agencies.
It remains to be seen how willing businesses will be to share sensitive information with a government that, at times, seems unable to protect its own digital assets. Even the military is not immune. Twitter and YouTube accounts belonging to the U.S. military’s Central Command were taken over Monday by a group claiming allegiance to the Islamic State.
President Obama was expected to share more details about the plan Tuesday afternoon at an event at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. On Monday, the president unveiled a set of proposals meant to help protect individuals’ personal information. Those proposals included a requirement that companies report data breaches to customers within 30 days.
Under broad-stroke legislative proposals the president is expected to talk about Tuesday, private-sector companies would be encouraged to share information about cyberattacks with NCCIC, which would in turn share the data with federal agencies and private industry groups typically known as Information Sharing and Analysis Organizations. Such groups employ experts to evaluate security threats to companies in a range of industries. Companies that share such data would be given “targeted liability protection,” the White House said.
The administration also proposed legislation that would direct private companies to remove “unnecessary personal information” from their files while requiring DHS, the Attorney General and agencies to develop guidelines for collecting, storing and using personal information. Many agencies already operate under a hodgepodge of rules and regulations when it comes to collecting individuals’ personal data.
Obama also wants to give law enforcement greater powers to fight cybercrime. Among other things, he is proposing that courts be given the authority to shut down botnets, or interconnected computers, responsible for Distributed Denial of Service (DDoS) attacks. A group calling itself Lizard Squad used a DDoS attack to bring down the Microsoft Xbox Live and Sony PSN gaming and entertainment networks over the recent holiday season.
The laws proposed by the White House on Tuesday could cut down on the number of cyberattacks against corporations, which were up 48 percent in 2014 compared to 2013, according to PriceWaterhouseCoopers. But not all industry groups support the plan. “President Obama’s cybersecurity legislative proposal recycles old ideas that should remain where they’ve been since May 2011: on the shelf,” said the Electronic Frontier Foundation, a nonprofit group that advocates for Internet freedom and privacy, in a statement.
The EFF said that the president’s plan would result in “a serious risk of transferring more personal information to intelligence and law enforcement officials.” The EFF said the White House should be encouraging companies to make greater use of existing industry-run information-sharing hubs, which it said are “underutilized and underresourced.”