Obama Unveils Cyberthreat Info Sharing Plan

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/obama-unveils-cyberthreat-info-sharing-plan-a-7792

It looks like 2015 is beginning where 2014 left off regarding cyberthreat
information-sharing legislation.

President Obama on Jan. 13 unveiled his legislative proposal to promote
cybersecurity information sharing between business and government, a
proposal Congress has debated for years, but has been unable to enact.

Obama's proposal, according to a summary released by the White House, would
provide stronger privacy protections than did the Cyber Intelligence
Sharing and Protection Act, the bill passed in the last Congress by the
Republican-controlled House of Representatives and which the administration
threatened to veto (see White House Threatens CISPA Veto, Again).
Cyberthreat information-sharing legislation never came up for a vote in the
then-Democratic-controlled Senate.

A senior administration official, speaking on background, says the White
House's position on CISPA that led to the veto threat has not changed. The
administration says its proposal would safeguard Americans' personal
privacy by requiring businesses to comply with certain privacy
restrictions, such as removing unnecessary personal information and taking
measures to protect any personal information that must be shared, in order
to qualify for liability protection. CISPA didn't do that, and that's one
reason the White House threatened a veto. The White House also said CISPA
provided too broad of liability protections for businesses. The new
proposal offers targeted liability protection to businesses that share
cyberthreat information.

Acting in Good Faith

That liability protection is important to businesses because they don't
want to face lawsuits from disgruntled shareholders and others because the
information they share might disclose vulnerabilities in their IT systems.
"The president's proposal to grant targeted liability protections will
foster greater industry participation, while helping to progress what has
traditionally initiated the barriers to sound and meaningful threat-sharing
policy," says Elizabeth Hyman, executive vice president of public advocacy
at the high-tech industry group TechAmerica. "Organizations acting in good
faith should be incentivized to partner with the federal government."

Obama's proposal also would require the Department of Homeland Security and
the attorney general to develop guidelines governing the receipt,
retention, use and disclosure of cyberthreat information received from
businesses.

In addition, the administration plan would encourage businesses to share
appropriate cyberthreat information with the National Cybersecurity and
Communications Integration Center, the Homeland Security agency responsible
for information sharing and analysis to protect the federal government and
critical infrastructure. NCCIC (pronounced n-kick), as the center is known,
would then share the information in as close to real time as practicable
with relevant federal agencies and with private sector-developed and
operated Information Sharing and Analysis Centers.

More ISACs

The White House proposal would encourage industries that do not have ISACs
to form them. But to be most effective, the respective industries running
the ISACs need to make sure they don't cede too much authority to the
federal government, says Chris Blask, who chairs the Industrial Control
System ISAC.

Too often, he says, ISACs are more about what the federal government wants
rather than what industry needs. "This is not at all bad, but it does not
intrinsically speak to the needs and interests of various private-sector
demographics," Blask says.

Reaction to Obama's plan from business and privacy groups was generally
cautious. The Financial Services Roundtable, in a statement, says it
applauds Obama for raising "this important discussion on information
sharing and looks forward to reviewing the details of the proposal."

Harley Greiger, senior counsel at the Center for Democracy and Technology,
an online advocacy group, is taking a wait-and-see approach on the Obama
plan. "The White House proposal relies heavily on privacy guidelines that
are currently unwritten," he says. "What these guidelines say and when they
are applied will be critical to protecting Internet users. Privacy
protections and use restrictions must be in effect before information
sharing occurs."

Partisan Rhetoric

In the Capitol, the partisan rhetoric of the 113th Congress reverberated in
the new 114th Congress as some lawmakers responded to the president's plan
with a bit of mockery. "While it took an attack on Hollywood for the
president to re-engage Congress on cybersecurity, I welcome him to the
conversation," says House Homeland Security Committee Chairman Mike McCaul,
R-Texas, referring to the Sony Pictures Entertainment breach.

A more straightforward response came from Rep. David Nunes, the California
Republican who's the new chairman of the House Intelligence Committee.

"I am glad to see President Obama putting forth his ideas to address this
critical issue," he says. "They will receive close consideration as the
House Intelligence Committee crafts a cyber-bill."

The senior administration official sounded more optimistic about prospects
for passage of cyberthreat sharing legislation. "Everybody has indicated a
willingness to talk and to move things forward and move beyond that
straight-up piece of legislation," the official says. "The administration
is serious about working on this issue and has clearly articulated its
position going into those discussions with the Hill. And I look forward to
some good, productive discussions with the folks up on various committees
this spring."

Prosecuting Botnet Sales

Another legislative initiative proposed by Obama would strengthen law
enforcement to combat cybercrime. If enacted, the legislation would:

Allow the prosecution of those who sell botnets;
Expand federal law enforcement authority to deter the sale of spyware used
to stalk or commit identity theft;
Give courts the authority to shut down botnets engaged in distributed
denial-of-service attacks and other criminal activity.

"Much like possession of robbery tools is a criminal offense for those who
are arrested trying to break and enter into a house, this proposal focuses
on the tools - botnets, spyware, etc. - that are used in furtherance of
breaches, IP theft and identity theft," says Christopher Pierson, former
president of the Phoenix chapter of InfraGard, an FBI-private sector
partnership that shares threat information. "This is a step in the right
direction, but, of course, the application depends on the ability to
capture and prosecute the persons involved in the crime."

Obama's proposal also would apply to cybercriminals the Racketeering
Influenced and Corrupt Organizations Act, the statute known as RICO that
government lawyers use to prosecute those involved in organized crime. It
also would clarify the penalties for computer crimes, and ensures these
penalties are in line with other similar non-cybercrimes.

The cybercrime legislative proposal would criminalize the overseas sale of
stolen U.S. financial information, such as credit card and bank account
numbers. But some security experts question the effectiveness of such a
law. "For it to be effective, we need to have cooperation of the law
enforcement authorities in the countries where the data is being sold and
purchased," says cybersecurity expert Gene Spafford of Purdue University.
"We do not have authority to shut down sites or arrest people in other
countries, even if what they are doing is illegal here. We need
international cooperation."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!