White House lays out ideas for information sharing

President Barack Obama sought to spur Congress to action on cybersecurity information-sharing legislation by announcing his own proposal on Jan. 13. Administration officials hope enhanced privacy provisions will help win a critical mass of support for the proposal in the Senate, where such legislation has stalled in the past.

"I've talked to both the speaker as well as Mitch McConnell about this," the president said in a morning meeting with congressional leaders, "and I think we agree that this is an area where we can work hard together and get some legislation done."

However, the proposal has drawn mixed reactions from privacy and civil liberties groups.

In light of all the recent tumult in cyberspace -- from the Heartbleed vulnerability to the massive hack of Sony Pictures Entertainment -- the administration is making "a major push to raise the level of cybersecurity across our country and to improve our ability to disrupt...and mitigate cyber incidents when they do occur," a senior Obama administration official told reporters during a conference call.

Obama's legislative proposal would offer companies "targeted liability" protection to share cyber threat indicators with the National Cybersecurity and Communications Integration Center, the Department of Homeland Security's round-the-clock center for monitoring cyberspace and disseminating warnings. Those indicators would consist mostly of technical information needed to identify malicious behavior in cyberspace -- such as routing information, IP addresses and time stamps.

The proposal is similar to one Obama made in 2011. "We've certainly learned a lot over the last few years as we've worked on how to do privacy in this area, what constitutes effective privacy," the official said.

The president's proposal will be judged against the Cybersecurity Information Sharing and Protection Act, which Rep. Dutch Ruppersberger (D-Md.) revived in the House last week. That legislation has been anathema to privacy groups concerned that the bill would make government surveillance easier.

"One of the key ways that the White House information-sharing proposal is superior to CISPA on privacy is that it does require companies to take reasonable steps to strip out information that would identify innocent parties before sharing it," said Harley Geiger, advocacy director and senior counsel at the Center for Democracy and Technology.

He added that the administration's proposal was a thoughtful answer to privacy concerns but far from perfect.

The Electronic Frontier Foundation was generally more critical of the proposal. "Given that the White House rightly criticized CISPA in 2013 for potentially facilitating the unnecessary transfer of personal information to the government or other private-sector entities when sending cybersecurity threat data, we're concerned that the administration proposal will unintentionally legitimize the approach taken by these dangerous bills," according to a statement released by the group.

Information security specialists welcomed the president's proposal but said it was only one step toward improving situational awareness in the private sector. "If organizations hope to benefit from timely intelligence information, they will need to understand their own defensive posture and readiness," said Mike Lloyd, chief technology officer at analytics firm RedSeal, in a statement.

Privacy hawk Sen. Ron Wyden (D-Ore.) said in a statement that he would review the details of the proposal and added that "safeguarding Americans' privacy is an essential prerequisite for any cybersecurity legislation."

Ruppersberger, for his part, praised the president's action, and noted that the Obama proposal "looks a lot like the bill I introduced." The congressman, who is ranking member of the House Permanent Select Committee on Intelligence, did add that "several outstanding issues" must still be addressed.

A week of cyber(in)security

Obama's proposal is part of a blitz of cybersecurity-related action from the White House this week. On Jan. 15, Vice President Joe Biden is scheduled to announce $25 million in grants for cybersecurity education at a consortium of 13 historically black colleges and universities and two national labs.

In addition, the proposal comes a day after the embarrassing hack of U.S. Central Command's social media accounts by a group claiming allegiance to the Islamic State. On Jan. 13, administration officials said the Defense Department, FBI and DHS are investigating the breach. The incident underscores the need to popularize security tools such as two-factor authentication, the senior official said.

Testifying before the House Foreign Affairs Committee on Jan. 13, Gregory Touhill, deputy assistant secretary for cybersecurity operations and programs at DHS, told lawmakers he would receive an update on the investigation from DOD and FBI later in the day. He also noted that there were no indications that Central Command's dot-mil domain had been breached.