President Obama will propose new legislation Tuesday that encourages companies to share sensitive data with the government in a bid to ward off cyberattacks — and protects them from potential lawsuits if they opt to do so.
The proposal, which will be unveiled during a speech at the Department of Homeland Security, is part of a package of cybersecurity legislation the White House plans to send to Capitol Hill in the wake of last month’s hack of Sony Pictures Entertainment. Obama is expected to pitch the proposals at a meeting with the bipartisan, bicameral leaders of Congress earlier in the day.
“Certainly in the aftermath of some of the more recent cyberattacks that we’ve seen that have been carried out against a number of private companies — including most recently Sony — hopefully that got the attention of people on Capitol Hill, that they actually need to fulfill their responsibilities to actually make progress on this issue,” White House press secretary Josh Earnest said Monday, adding that the administration was “disappointed” more progress had not been made on the issue.
The legislation will ask private corporations to share cyber threat information with DHS, which will then disseminate “in as near real time as possible” it to other pertinent federal departments, as well as collaborative groups run by the private sector designed to help identify and fix security holes.
In exchange, corporations that participate will get not only assistance in responding to cyberattacks, but broad legal immunity from users who could sue over the disclosure of their private information.
Those provisions largely mirror the Cyber Intelligence Sharing and Protection Act, a bipartisan bill designed to facilitate the sharing of real-time data among federal agencies, and offers liability protections for those who participate.
But that bill has languished for years on Capitol Hill after some Democrats — and the White House — said they were concerned that the bill did not do enough to protect privacy rights. Specifically, the White House said it was worried CISPA immunized companies who did not take reasonable measures to protect users’ privacies, and that the law did not demand companies remove irrelevant personal information from the cybersecurity data it shared with the federal government.
In a nod to those concerns, the White House said the legislation announced by the president would require participating companies to take certain privacy measures in order to qualify for the liability protections.
The law would also call for the attorney general and Homeland Security secretary to consult with the privacy and civil liberties oversight board to develop guidelines for the receipt, retention, use, and disclosure of private data by the federal government.
But it remains unclear whether the proposal will get buy-in, both from businesses who might be reluctant about the new scrubbing requirements, and from privacy advocates who could worry they don’t go far enough.
Separately, the White House will propose legislation expanding law enforcement’s abilities to combat cyber crime.
The new laws would criminalize the sale of stolen U.S. financial information and give the government broader authority to target spyware used in Internet stalking and identity theft schemes. The bill would also allow the administration to seek authority from the courts to go after networks of computers used to flood and disable targets with excessive traffic, in what is known as a denial of service attack.
And, under the new legislation, penalties for computer crimes would be increased to fall in line with their real-world equivalents.
Additionally, Vice President Biden will announce that the Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium that will bring together students from 13 historically black colleges.
And next month, the White House will host a cybersecurity and consumer protection summit at Stanford University, where the administration hopes to attract business executives, law enforcement, and consumer and privacy advocates.
The legislative proposals unveiled by the president on Tuesday will be sent to Capitol Hill alongside a bill announced by Obama on Monday requiring companies to disclose to their customers any potential data breach within 30 days. The president is also asking Congress to pass a law that would prohibit companies from selling data collected on school technology.
"This is a direct threat to the economic security of American families, and we've got to stop it," Obama said Monday during a speech at the Federal Trade Commission. "If were going to be connected, we've got to be protected."