Sony hack prompts Congress, White House to back cyber bills
Two of the more controversial computer bills to go before Congress in recent years – a twice-failed proposal for sharing cyber threat intelligence and a long-standing hacking law – are emerging again in Washington amid the recent Sony hack.
When the Cyber Intelligence Sharing and Protection Act, or CISPA, was last debated on Capitol Hill in April 2013, it passed the US House of Representatives but stalled in the Senate, stopping short of garnering full congressional approval for the second year in a row. On the heels of a string of high-profile hacks, however, and with the massive computer breach suffered two months ago by Sony Pictures Entertainment serving as a catalyst, Congress is readying to again weigh in on that bill and quite possibly another.
Sen. Dutch Ruppersberger (D-Maryland), an original sponsor of CISPA when it was first introduced in Washington almost three years ago, has proposed the bill once more, opening the door for the 114th Congress to consider the act yet again.
“The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Ruppersberger told The Hill in a recent interview, in reference to the Sony hack.
A draft copy of the proposed legislation, sent earlier this month by Ruppersberger to Congress, emerged online on Tuesday this week, first on the website Pirate Times. A representative for the lawmaker’s office subsequently confirmed its authenticity to RT on Wednesday and said that the language is identical to the bill that passed in the House in April 2013 but was ultimately deferred by the Senate.
Should CISPA be approved by both chambers this time around and endorsed by President Barack Obama, the bill would install procedures for sharing “cyber threat intelligence and cyber threat information” between the private sector and government offices, including intelligence community entities, such as the National Security Agency. Proponents say this would give the nation’s computer networks a much-needed extra layer of security courtesy of Uncle Sam’s own cyber squad, and allow government offices to examine incoming cyberattacks while removing the private network owners of liability. Privacy and civil liberties advocates have condemned the act, however, citing an absence of safeguards that may otherwise protect personal data.
Coupled with endorsements from both sides of the aisle in Congress, CISPA may have its best chance yet at ending up in the oval office and receiving an autograph from the president, encoding it once and for all. On Tuesday, in fact, the White House wrote Rep. John Boehner (R-Ohio), the speaker of the House, with a three-pronged proposal for improving cybersecurity.
“The dramatic increase in cyber intrusions and the recent destructive and coercive attack on Sony Pictures Entertainment offer a stern reminder that we must act with urgency to do everything possible to better protect the Nation and economy against cyber threats,” Shaun Donovan, director of the White House Office of Management and Budget, wrote to Speaker Boehner.
Following a meeting on Tuesday with Boehner and his Senate counterpart, Majority Leader Mitch McConnell (R-Kentucky), Obama told reporters: “I think we agreed that this is an area where we can work hard together, get some legislation done and make sure that we are much more effective in protecting the American people from these kinds of cyberattacks.”
In addition to passing once and for all a cyber-sharing bill, RT reported earlier this week that the White House is also now advocating for changes to the Computer Fraud and Abuse Act – the federal law enacted in 1984 that outlines how the Department of Justice can prosecute purported computer hackers.
“We urge the new Congress to work with the Administration to pass much-needed legislation to improve cybersecurity information sharing, establish a single standard for data breach notification and enhance key cybersecurity law enforcement tools,” Donovan wrote in his letter to Boehner.
“We’re going to make another run at breaking through that problem and getting something the president can sign,” McConnell, the Senate leader, told Politico on Wednesday.
Indeed, the White House this week has introduced proposals concerning both CISPA and the CFAA. And while only the latter is currently on the law books, both controversial bills could soon be rehashed and rushed through Washington in the aftermath of the Sony hack in a reactionary, post-traumatic response in an effort to curb further cyberattacks by any means necessary.
As RT reported, the Obama administration’s proposed changes to the CFAA would allow prosecutors to use existing statutes of the federal Racketeering Influenced and Corrupt Organizations Act, or RICO, in order to apply to cybercrimes, while also adjusting potential sentences and incorporating new rules to target the sellers of zombie computer networks known as botnets.
The president’s proposal, the White House said, “modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”
Already, though, the White House’s proposed CFAA revisions are being considered a cause for concern among some of the nation’s most in-tune entities with regards to computer law.
“My bottom line: My views are somewhat mixed, but on the whole I’m skeptical of the Administration’s proposal,” Orin Kerr, a law professor at George Washington University who specializes in computer legislation, wrote for the Washington Post on Wednesday. “On the downside, the proposal would make some punishments too severe, and it could expand liability in some undesirable ways. On the upside, there are some notable compromises in the Administration’s position.”
“On the whole, I’m skeptical of the government’s proposal, although I think it’s more reasonable than a lot of past CFAA reform proposals we’ve seen,” added Kerr. “One difficulty with knowing whether Congress should pick up this proposal and work with it is the continuing evolution of the CFAA in the courts. The law is a mess, yes. And there are some frightening readings of the law that courts might adopt under the current text. At the same time, the trend has been towards narrower and (to my mind) more sensible readings of the statute, and I’m relatively optimistic that the narrower readings will prevail if and when the Supreme Court turns to the CFAA. Given that trend, the status quo mess isn’t necessarily a bad mess. It might be better to do nothing than to open up the CFAA quagmire and see what results. There’s a lot of uncertainty involved in either path.”
The Electronic Frontier Foundation, a California-based digital rights group, was quick to condemn the Obama administration for urging CFAA updates and new cyber-sharing laws in the wake of the Sony hack.
“More needs to be done to protect cyberspace and enhance computer security. But President Obama's cybersecurity legislative proposal recycles old ideas that should remain where they've been since May 2011: on the shelf,” Mark Jaycox and Lee Tien wrote for a statement from the EFF published on Tuesday following the release of the White House’s proposal.
“Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.”
“Instead of proposing unnecessary computer security information sharing bills, we should tackle the low-hanging fruit. This includes strengthening the current information sharing hubs and encouraging companies to use them immediately after discovering a threat,” the EFF said. “The administration's proposals to increase penalties in the Computer Fraud and Abuse Act are equally troubling. We agree with the President: ‘Law enforcement must have appropriate tools to investigate, disrupt and prosecute cybercrime;’ however, the past two years of surveillance disclosures has shown law enforcement certainly doesn’t need more legal authorities to conduct digital surveillance or prosecute criminals.”
According to Pirate Times, CISPA 2015 has been referred to the House Committees on the Judiciary, Armed Services, Homeland Security and Intelligence, while the president’s suggestions on the cyber-sharing bill and potential CFAA reform have been sent to leadership in both the House and Senate, according to the White House.