President Obama plans to introduce a new package of cybersecurity legislation on Tuesday that, among other measures, will grant companies partial immunity from lawsuits whenever they quickly share data on cyber threats with the Department of Homeland Security. "We’ve got to get something in place that allows both industry and government to work more closely together," an unnamed White House source told The Washington Post.
Those indicators of cyber threats would immediately be shared with other government agencies like the FBI, NSA, and Secret Service, as well as private-sector Information Sharing and Analysis Organizations (ISAOs). But Obama's latest package — which comes after the massive hack against Sony Pictures Entertainment and earlier attacks directed at major US retailers — contains many other provisions designed to heighten cybersecurity.
Companies would be shielded against lawsuits for sharing attack details
It will allow for the prosecution of people found to be selling or renting out the botnets (often used in distributed denial of service attacks) and authorize courts to shut them down if criminal activity is detected. Obama's legislation would also make illegal the overseas sale of stolen US financial data, such as the personal information that spread across the web like wildfire after the Home Depot hack. It would not permit private sector companies to retaliate against hackers, though.
According to Politico, Homeland Security and the Attorney General will also "develop guidelines for the receipt, retention, use and disclosure of cyber threat data within the federal government" under the legislation. That last part is of particular interest to the Electronic Frontier Foundation; wary of the intelligence community's snooping tendencies, the EFF wants to ensure that private details aren't carelessly exchanged between government agencies like DHS and the NSA. "DHS needs to take an active lead role in ensuring that unnecessary personal information is not shared with intelligence authorities," a spokesperson told The Washington Post.
Obama's plan must somehow pass through Congress first
Privacy advocates are also concerned with the legal immunity granted to private sector companies being overly broad — especially if they end up needlessly disclosing sensitive, personal information. But the White House says that won't be a problem, noting that companies will need to stick closely to privacy restrictions like "removing unnecessary personal information" and carefully safeguarding the data necessary to qualify for the lawsuit protection. More often than not, the information being exchanged between private companies and the government will pertain to the method of attack, not the content that hackers are after, according to the administration.
Obama's latest attempt to ramp up US cybersecurity efforts also includes two proposals introduced Monday: forbidding companies from selling student data and urging hacked businesses to notify consumers of a cyber attack within 30 days. With a Republican-controlled Congress, Obama may face long odds in passing this package of proposals, but he'll be meeting with GOP leaders in an attempt to find common legislative ground this week. Obama will outline the full vision of his plan during a visit to the Department of Homeland Security today at 3PM.