White House promises new cyber proposal addresses privacy

President Obama rolled out the centerpiece of his cybersecurity legislative proposal on Tuesday to cheers from industry groups and wariness from privacy advocates.

The measure would enable private sector companies to swap cyber threat information with the Department of Homeland Security. It’s the capstone of a week of new consumer privacy and cybersecurity initiatives the White House is promoting.

ADVERTISEMENT

“Cyberthreats pose an enormous challenge to our country; it's one of the most serious economic and security challenges we face as a nation,” Obama said during a speech at the Department of Homeland Security (DHS), according to pool reports.

In addition to information sharing, the administration this week has put forth legislative proposals that would create federal standards for data breach notifications, enhance student data protection and strengthen penalties for various difficult-to-prosecute cyber crimes.

"As long as I'm president, protecting America's digital infrastructure is going to remain a top national security priority," Obama said.

But the most high-profile component is the cyber threat exchange proposal. A cyber info sharing bill has been the top priority for industry groups and intelligence officials for several years now. Past attempts have stalled over concerns that such a measure would enable the government to collect more private information on Americans.

The White House believes its proposal assuages some of the concern surrounding a similar 2011 offering criticized as vague and broad. The current proposal would funnel industry information into the Homland Security cyber center, which is known as the National Cybersecurity and Communications Integration Center (NCCIC).

“What you see in here is a refinement of our thinking in the privacy and civil liberties space,” a senior administration official told reporters.

It includes specifics that the administration said would make it more palatable to industry and privacy groups.

For industry, the proposal grants the liability protections companies have long desired, fearful that giving internal data to the government could expose them to shareholder lawsuits.

“Previously, the administration the administration’s proposal didn’t really focus on the liability protection," the official said.

For privacy advocates, it requires companies to remove elements of personal information from their data and delineates exactly what types of data they can give to the government.

That includes “a fairly narrow set of technical information,” like IP addresses, routing information and date/time stamps, the official said. “It’s primarily not going to be content.”

And the bill would direct federal agencies to develop public guidelines “for how the cyber threat indicators can be used and retained, and how it will be destroyed,” the official added.

But the changes didn't completely satisfy outside groups.

“We remain a little bit skeptical,” said Drew Mitnick, policy counsel at digital rights advocate Access Now.

“The administration’s proposal fails to effectively cement DHS’s control over the information sharing program,” said Robyn Greene, policy counsel of New America’s Open Technology Institute, expressing concern that the proposal could give the National Security Agency too much access to the cyber threat. "But, as always the devil will be in the details of the specific language."

Obama on Tuesday defended his proposal's privacy protections as robust and warned that the nation needs action soon.

If the nation is to stop cyberattacks like the destructive hit on Sony Pictures Entertainment from striking government agencies and critical infrastructure, the public and private sector must work together, he said.

"We've got to stay ahead of those who would do us harm,” he said. “The problem is that government and the private sector are still not always working as closely together as we should.”

— Updated 7:42 p.m.