After the recent data breach at Sony Pictures, the issue of cybersecurity is making a comeback on Capitol Hill — for better and for worse.
During a speech at the Federal Trade Commission on Monday, President Barack Obama revealed some "spoilers" for next week's State of the Union address, including a proposal for a "single, strong national standard" requiring corporations to notify customers within 30 days when their personal information is compromised. The president also said he would craft a "Consumer Privacy Bill of Rights," as well as introduce legislation that would prevent companies from monetizing data collected from students using computers and apps in the classroom.
"As Americans we shouldn't have to forfeit our basic privacy when we go online to do our business," the president said during his speech at the FTC. "We pioneered the Internet, but we also pioneered the Bill of Rights and a sense that each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests."
It's a welcome gesture in light of the millions of people compromised by recent computer breaches at major retail giants, such as Target, Home Depot and Neiman Marcus. But apart from the question of whether the measures will pass in the new Republican-controlled Congress, Obama's good intentions are overshadowed by more troubling aspects of Washington's cybersecurity push — namely, the revival of the Cybersecurity Information Sharing and Protection Act (CISPA), a twice-stalled bill that has been roundly condemned by privacy and security advocates.
Obama threatened to veto CISPA the last two times it passed in the House, but this time could be different. During a speech today at the National Cybersecurity and Communications Integration Center (NCCIC), the president urged Congress to pass a similar cyber-sharing bill, which would encourage private firms to share data with the government, including privacy guidelines for "removing unnecessary personal information."
"We've got to stay ahead of those who would do us harm. The problem is that government and the private sector are still not always working as closely together as we should. Sometimes it's still too hard for government to share threat information with companies," Obama said, adding that cyberdefense is going to be “a shared mission” with “government and industry working hand in hand.”
Talk of rebooting CISPA began almost immediately after the breach of Sony Pictures, in which hackers leaked internal documents including movie scripts, sensitive employee information and details of a secret campaign to advance the film industry's anti-piracy agenda by corrupting public officials. Subsequent threats from hackers caused Sony to cancel (and later un-cancel) the release of a major film, “The Interview,” leading officials to characterize the hack as an attack on freedom of speech. The FBI claims North Korea was behind the attack.
With the hack fresh in everyone's mind, it's clear that lawmakers and the Obama administration are using the opportunity to push through a new CISPA bill. The crucial question will be whether its information sharing benefits truly outweigh the civil liberties risks of giving even more information to intelligence agencies.
Unlike Obama's consumer protection proposal, which creates corporate liability by setting federal standards for disclosure of data breaches, CISPA grants corporations legal immunity while encouraging them to share private data with the government — including sensitive user information. It follows the same logic as U.S. counterterrorism initiatives, which are premised on the theory that gathering more and more data about threats will help prevent attacks.
A new version of CISPA introduced in the House last week by Rep. Dutch Ruppersberger, R-Md., revives much of the bill's original text. Ruppersberger has been a staunch defender of the NSA, which is headquartered in his state, and has received generous campaign donations from major players in the military-surveillance industry, such as Northrop Grumman, Raytheon and BAE Systems.
Ruppersberger’s bill ostensibly addresses privacy concerns by mandating the release of periodic privacy and civil liberties reports. But all of this oversight would be done by the same agencies collecting the information, not by an independent panel. Parts of the reports would also be classified, and the information shared between private companies and federal agencies would be exempt from disclosure under the Freedom of Information Act. Crucially, the companies would enjoy full legal immunity when sharing information with the government.
Privacy and security advocates have been frustrated that none of the cybersecurity proposals in Washington have included more practical measures, such as promoting the use of secure communication tools or holding companies liable when they fail to enforce basic security practices. The latter is especially vexing, because this lack of liability seems to be at the core of most corporate breaches: In one of four class-action lawsuits brought against Sony after the recent hack, former employees allege that the company "failed to take reasonable steps to secure the data of its employees from hacking and other collateral attacks," including neglecting to encrypt sensitive information stored on its servers. And the hack of JPMorgan last year reportedly succeeded because the company failed to update one of its servers. So it's hard to imagine how information sharing, rather than strongly enforced data security standards, could have prevented either incident.
"Rather than introducing a bill which would allow private entities to share personal information, including the content of emails, for vaguely defined 'cybersecurity purposes,' we should be looking to promote proper cybersecurity practices as a foundational pillar of modern businesses," said Rep. Zoe Lofgren, D-Calif., who is opposed to the Ruppersberger bill.
Obama looks set to reveal all the details of his cybersecurity strategy during next week's State of the Union address.