President Obama on Tuesday proposed new cybersecurity legislation that would put cybercrime on par with racketeering and would protect companies from getting sued if they share computer threat data with the government.
Specifically, indicators of cyber threats would immediately be shared with the Department of Homeland Security (DHS), the FBI, the Secret Service, and private-sector Information Sharing and Analysis Organizations (ISAOs).
The Administration’s new package of cybersecurity legislation would also allow for the prosecution of those found selling or renting out botnets – which are often used in distributed denial-of-service (DDoS) attacks – and would authorize courts to shut them down if criminal activity is detected.
It would make illegal the overseas sale of stolen US financial data, such as that taken in attacks like the one against Home Depot, and would get tougher on the sale of spyware.
Speaking at the National Cybersecurity and Communications Integration Center on Tuesday, President Obama said that online crooks are as bad as, if not worse, than offline crooks nowadays:
We want cybercriminals to feel the full force of American justice, because they're doing as much damage - if not more - these days, as folks who are involved in more conventional crime.
These are just the latest in a slew of “securing cyberspace” proposals that have been rolling out since Monday, when the President proposed a federal mandate for a 30-day disclosure window after data breaches and a ban on the sale of student data to third parties.
That legislation should have stayed on the shelf, privacy advocates grouse.
In the Electronic Frontier Foundation’s (EFF’s) response, Mark Jaycox and Lee Tien took issue with some of the latest proposals, which also include stiffening penalties under existing, already bad laws:
Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act [CFAA], and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.
The President’s proposing the wrong direction entirely on that one, the EFF said:
Instead of increasing penalties under the Computer Fraud and Abuse Act, we've long advocated common sense reform to decrease them.
The White House proposals do in fact call for beefing up laws, including updating the Racketeering Influenced and Corrupt Organizations Act (RICO) so that it covers cybercrime.
Privacy and civil rights advocates point out that there are already plenty of laws out there to get it all done. For example, it’s already a federal law to sell spyware: a point made in November when the CEO of a spyware company was fined $500K (£330k) and forced to forfeit his company’s source code.
But while the Administration does want more, and tougher, cybercrime laws, it’s claiming it will stop using laws like CFAA for trivial pursuits.
From its statement:
The proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
The prospect of companies sharing yet more information with the already surveillance-soaked government is another aspect of the President’s proposals that’s not going over big with privacy groups.
While the White House proposal does require the removal of personal information prior to companies sharing data-threat information with the government, there still needs to be safeguards put into place, points out the Electronic Privacy Information Center (EPIC), including civilians being engaged on oversight:
The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity.