President Barack Obama said Tuesday that recent cyberthreats to Sony and the military’s U.S. Central Command are reminders of the serious threats facing the nation. But an Associated Press review shows that some of his plans are retreads from years past.
Obama laid out his plans this week as part of a push for new cybersecurity legislation – a week before his State of the Union address – that increases government information-sharing and protects businesses from lawsuits for revealing cyberthreats.
Yet the president’s proposals are similar to congressional legislation that has been languishing on Capitol Hill, in part over privacy concerns. The White House is hoping a recent spate of cyberattacks and data breaches – including November’s hacking at Sony Pictures Entertainment, which the administration blamed on North Korea – will spur lawmakers to take up the issue.
Privacy advocates also criticized other elements of this plan this week, especially involving data-sharing between companies and the government, in light of an ongoing debate about the scope of U.S.-government surveillance and bulk-data collection.
The president unveiled his plans Tuesday at the National Cybersecurity and Communications Integration Center just outside Washington, saying cyberthreats pose “an enormous challenge” in which the U.S. must be “upping our game.” He said cybercriminals are doing as much damage, or more, than traditional criminals.
“As a nation, we are making progress. We are more prepared to deal with cyberattacks, but attackers are getting more sophisticated,” Obama said. “All of us – government and industry – need to be doing better.”
A key part of the proposals, which have received support from some Republicans in Congress, would enable cybersecurity-information sharing between U.S. agencies and the private sector. But that sharing has already been taking place – with uneven results – for more than 16 years.
President Bill Clinton established the earliest Information Sharing and Analysis Centers in May 1998. These were intended to collect, analyze and distribute warnings about cyberthreats within eight of the most important U.S. industries, including banking, transportation, communications and energy.
In 2003, President George W. Bush moved responsibility for the warning centers from the FBI’s now-defunct National Infrastructure Protection Center to the Homeland Security Department. The warning centers have since been expanded to cover 16 critical industries, and others – such as one covering retail stores – have launched separately.
Some of the warning centers, such as the ones protecting banks and computer companies, are highly regarded. But others have been marked by uneven cooperation among members and confusion about roles during a cyberattack.
The government’s own $6.4 million Cyber Storm II exercise in March 2008, which simulated a large-scale cyberattack, revealed some confusion about alerts and fouled communications lines, such as when the Homeland Security Department shut off an encrypted message system over security concerns.
Obama’s plan would encourage the private sector to share cyberthreat information with the Homeland Security Department, according to a White House factsheet. Companies would qualify for targeted liability protection but would have to comply with certain privacy restrictions.
Some congressional leaders had been looking for more cooperation between U.S. businesses and the civilian outfit at DHS – as opposed to the military’s National Security Agency – that shares information about cyberattacks between the private sector and the government.
“This is the Wild West, without any rules to the game,” said Rep. Michael McCaul, R-Texas, who chairs the House Homeland Security Committee. “It’s a new frontier with regard to terrorism and warfare.”
The White House said this week that the proposals also would modernize U.S. laws to combat cybercrime, such as allowing for the prosecution of the sale of botnets – large numbers of hacked computers that can be directed remotely to attack targets – and outlaw the sale of stolen credit-card or bank-account numbers.
But experts said such crimes already are covered under other existing laws, such as conspiracy to commit computer crimes.
“I don’t think there are prosecutions going down the tubes because of the lack of legislation on this,” said Mark Rasch, a former cybercrimes federal prosecutor.
Even with public-private information-sharing, such a program “isn’t a silver bullet,” said Mark Jaycox, a legislative analyst with the San Francisco-based Electronic Frontier Foundation, a civil-liberties group. “We need to tackle the low-hanging fruit, the basic security precautions,” he said, such as regularly updating computer servers and requiring robust passwords. Such issues could have played roles in recent high-profile breaches.
The group said Obama’s proposal “recycles old ideas that should remain where they’ve been since May 2011: on the shelf.” While it said the government should have appropriate tools to investigate cybercrime, recent domestic-surveillance revelations show law enforcement “certainly doesn’t need more legal authorities to conduct digital surveillance.”
Disclosures by former NSA analyst Edward Snowden in 2013 showed the government was collecting phone records and digital communications of millions not suspected of a crime, prompting changes and calls from some lawmakers to curtail domestic-surveillance programs.
Also on Tuesday, U.S. officials testified before a House Foreign Affairs panel about the threat posed by North Korea, including the Sony attack. Gregory Touhill, a senior DHS official for cybersecurity operations and programs, told members that hackers exploited Sony using a “sophisticated worm” – a piece of malicious software – and tried to compromise the company’s computer systems when turned on.
The White House push comes after the social-media accounts for U.S. Central Command were taken over by hackers who claimed to be working on behalf of Islamic State militants on Monday. Other recent hackings at retailers including Target, Home Depot and Neiman Marcus have exposed the lack of uniform practices for alerting customers in the event of a breach.
Sen. John McCain, a member of the Homeland Security and Governmental Affairs committee, said Tuesday he was “glad the administration is coming forward with a proposal” and “guardedly optimistic we can come up with legislation that we can work with the administration on.”
Nedra Pickler and Eric Tucker contributed to this report.