Obama proposes cyber law update in wake of Sony hack
The initiative, announced by US President Barack Obama during a planned visit on Tuesday to the US Department of Homeland Security in Virginia, calls for new legislation to be adopted by Congress in order to enhance the sharing of electronic threat information between the private sector and the government, while also revamping the Computer Fraud and Abuse Act, or CFAA – the 1984 federal law that outlines when and what hacking charges can be brought against suspected cyber criminals.
Additionally, the White House again insisted on Tuesday that American businesses should be obliged under penalty of law of quickly notifying consumers in the event that their networks are compromised, echoing remarks the president made a day earlier when he proposed new data protection rules during an address at the main office of the Federal Trade Commission in which he advocated for securing the types of personal financial data often pilfered in hacks that have targeted major companies.
“This extraordinary interconnection” made possible by the internet “creates enormous opportunities,” Obama said Monday, “but also creates enormously vulnerabilities for us as a nation and for our economy and for individuals.”
Details on the latest proposal surfaced less than a month after the White House and FBI said they’ve attributed the major security breach suffered by the computers of Sony Pictures Entertainment last November to North Korea, and only a day after the US Central Command saw both its Twitter and YouTube accounts compromised by a group claiming to be supportive of Islamic State militants.
"With the Sony attacks that took place, with the Twitter account that was hacked by Islamist jihadist sympathizers yesterday, it just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama told members of Congress during a meeting earlier on Tuesday, according to CNN.
“He’s been doing everything he can within his executive authority to move the ball on this,” a senior administration official who spoke on the condition of anonymity told the Washington Post. “We’ve got to get something in place that allows both industry and government to work more closely together.”
In hopes of accomplishing as much, the newest proposal from the president includes provisions enabling private sector entities to better communicate attack details with the DHS National Cybersecurity and Communications Integration Center (NCCIC), ideally giving the government a heads up with regards to future breaches. The White House says the president also wants changes applied to the CFAA that would give the Justice Department added ability to prosecute suspected cybercriminals, specifically singling out individuals who sell botnets – compromised computer networks that can be remotely controlled and used to launch attacks – and persons who sell US financial information overseas, while at the same time updating the federal Racketeering Influenced and Corrupt Organizations Act, or RICO, in order to apply to cybercrimes.
The president’s proposal, the White House said, “modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”
“Today, at a time when public and private networks are facing an unprecedented threat from rogue hackers as well as organized crime and even state actors, the president is unveiling the next steps in his plan to defend the nation’s systems,” the White House said.
But Marcia Hoffman, a digital rights attorney who has represented clients facing CFAA charges, wrote on Twitter that “there’s some dangerous legislation coming down the pipe,” even if the hacking law is changed to exclude “insignificant conduct.”
Infosec people, there's some dangerous legislation coming down the pipe. You should get ready to weigh in. http://t.co/RiAPKljLDY
— Marcia Hofmann (@marciahofmann) January 13, 2015
According to the Post, the cybersecurity measures announced by Pres. Obama during Monday and Tuesday’s events in the DC area will be included in a broader package being sent to lawmakers on Capitol Hill this week. Previous attempts to pass a cybersharing bill by Congress in recent years have ended unsuccessfully; their proponents, however, have said in the wake of the Sony breach that adopting such an act must be done imminently.
“This is only the latest example of the need for serious legislation to improve the sharing of information between the private sector and the government to help companies strengthen cybersecurity,” Sen. Dianne Feinstein (D-California), the chair of the Senate Intelligence Committee, said in a statement after the Sony hack occurred. “We must pass an information sharing bill as quickly as possible next.”
That isn’t to say Congress will rush to update the CFAA, however. Calls for reforming the hacker have largely gone unnoticed, despite being amplified two years ago this month by the death of Aaron Swartz – a computer prodigy who committed suicide while waiting to be tried on felony computer crime charges that carried a maximum sentence of 35 years in prison.
“I regret that many in Congress fail to see the harm done by this law and the need to take action to fix it. Members of Congress should be appalled at the disparity between how the Department of Justice handled Aaron’s case and how it is handling the CIA breaking into Congressional computers,” Sen. Ron Wyden (D-Oregon), a co-author of “Aaron’s Law,” told Forbes last year for an article in which staff writer Thomas Fox-Brewster said the attempt at CFAA reform was “doomed” and “almost certain to be left to wither.”
— Andrew Blake (@apblake) December 12, 2014
Orin Kerr, a law professor at George Washington University, said last year that the Justice Department has opened upwards of 80 CFAA cases annually against alleged hackers since the CFAA was encoded during the Reagan administration. Arguably among the most notable CFAA cases waged during the law’s relatively young lifespan has been that against Jeremy Hammond, a 30-year-old Chicago man currently serving a decade-long prison sentence after pleading guilty to violations related to the 2012 intrusion into the network of Texas-based private intelligence firm Strategic Forecasting, or Stratfor.
Although Pres. Obama said this week that federal law must be amended to ensure that the government’s cyber experts have a front-row seat to any attempted network intrusions, such was indeed already the case during the Stratfor hack in which the FBI watched the attack unfold in real time by monitoring the internet activities of a cooperating witness who conversed with Hammond as the hack unfolded. Even though federal agents watched the intrusion occur as it happened, however, the FBI failed to alert Stratfor or its customers until it was too late, and a trove of personal information – including addresses, credit card numbers and internal emails – were stolen and later uploaded online.
“Under the guise of ‘cybersecurity,’ we once again see how the government is willing to restrict our freedoms to give us the illusion of safety. Steps to do such things as ‘simply and standardize’ mean nothing when, as in the case of Stratfor, the FBI can order a company to simply delay notifying customers of an intrusion so that they can continue their ‘investigation,’”Grace North, director of the Jeremy Hammond Support Network, told RT’s Andrew Blake on Tuesday.
“The proposed changes will do nothing to stop the overzealous prosecution of political dissidents, and, in fact, will only punish them more by now allowing the government to punish them under federal RICO laws as well as under the CFAA,” continued North. “Even with these changes, the CFAA is still as outmoded, draconian and over-reaching as ever. More intervention by the state will not fix this. What is needed is not more laws, but a complete restructuring of the system that oppresses us all.”
The president is expected to further discuss his efforts at strengthening the nation’s cybersecurity during his annual State of the Union Address scheduled for next Tuesday.