WHITE HOUSE’S CYBER SECURITY ANNOUNCEMENT
Below is the White House’s announcement of its Cyber Security initiatives for 2015. We will have analysis of these proposals shortly.
The problem is that government and the private sector are still not always working as closely together as we should. Sometimes it’s still too hard for government to share threat information with companies. Sometimes it’s still too hard for companies to share information about cyber threats with the government. There are legal issues involved and liability issues. Sometimes, companies are reluctant to reveal their vulnerabilities or admit publicly that they have been hacked. At the same time, the American people have a legitimate interest in making sure that government is not potentially abusing information that it’s received from the private sector.
This week is a big one for cybersecurity.
President Obama is using the week before his State of the Union to highlight the importance of cybersecurity and to outline the steps this Administration is taking to tackle this problem head-on. As many companies and government agencies know far too well, the cyber threat is only increasing in breadth, pace, sophistication, and impact. The events of the past year, including numerous breaches into major retailers, a widespread encryption vulnerability known as Heartbleed, and the recent destructive and coercive cyber attack against Sony Pictures Entertainment, clearly demonstrate the need to accelerate collective efforts to increase our nation’s cybersecurity and to preserve and protect our core values as a nation.
Since taking office, this Administration has made cybersecurity a priority. We have focused on better protecting our critical infrastructure, improving the security of federal networks, enhancing our ability to respond to and manage incidents, building international coalitions, and shaping cyberspace to be more secure in the future. Many of my previous blog posts have highlighted our efforts in these areas, and we have indeed made progress. As we start 2015, though, it is clear that a lot more remains to be done. This Administration will continue to pursue all appropriate efforts to defend our citizens, our companies, and our nation from those threats.
So this week, the President is kicking off the new year by launching a series of key policy initiatives designed to tackle some of our most pressing cybersecurity problems in these priority areas. Yesterday, the President focused on consumer protection and privacy. Those actions will help cybersecurity as well, because the more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy. This week, the President is announcing several specific cybersecurity steps, which in turn will also improve consumer protection and privacy, as better cybersecurity results in better data protection. These efforts are mutually reinforcing.
In 2014, Congress passed important cybersecurity measures focused on improving how the federal government protects its own networks and how we are organized to carry out our cybersecurity missions, including: the Federal Information Security Modernization Act of 2014, the National Cybersecurity Protection Act of 2014, the Cybersecurity Enhancement Act of 2014, and the Cybersecurity Workforce Assessment Act of 2014. The passage of these bills, which the Administration strongly supported, demonstrates that when the politics are put aside, we can do a lot together on cybersecurity. The Members who worked on these bills deserve credit for working diligently to ensure that these important bills made it through at the very end of the term.
Congress should build on this momentum and pass additional legislation to increase information sharing with the government, modernize the tools needed by law enforcement to fight cybercrime, and standardize the requirements for when companies must notify customers of data breaches. Yesterday, the Administration released an updated legislative proposal that addresses these three areas:
- Enabling Cybersecurity Information Sharing: While not a panacea, increased information sharing is a key element in improving our cybersecurity. The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector. Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) which will then share it (in as close to real-time as practicable) with relevant federal agencies and with private sector-developed and -operated Information Sharing and Analysis Organizations (ISAOs). This information sharing will be facilitated by providing targeted liability protection for companies that share information with these entities. The legislation also encourages the formation of these private sector-led Information Sharing and Analysis Organizations. The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions — such as removing unnecessary personal information and taking appropriate measures to protect any personal information that must be shared — in order to qualify for liability protection. The proposal further requires the Secretary of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government. Finally, the Administration intends this proposal to complement and not limit existing effective relationships between government and the private sector. These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.
- Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime. The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets; would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers; would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft; and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. It also reaffirms important components of 2011 proposals; specifically, it would update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key piece of law used to prosecute organized crime, so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
- National Data Breach Reporting: As announced yesterday, the Administration has also updated its proposal on security breach reporting. State laws have helped consumers protect themselves against identity theft while also encouraging business to improve cybersecurity to help prevent identity theft. These laws require businesses that have suffered an intrusion to notify consumers, if consumers’ personal information has been compromised. The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain data breach reporting requirements into one federal statute, and it puts in place a single, clear requirement to ensure that companies notify their employees and customers about security breaches on a timely basis.
White House Cybersecurity Summit:
Cybersecurity is an inherently shared mission between the government and the private sector. No single agency within the government can undertake cybersecurity alone, but even more importantly, the federal government cannot address the cybersecurity threat by itself. We must truly collaborate with the private sector on many levels in order to make our cybersecurity efforts effective.
In that vein, the President also announced that we are planning a White House Cybersecurity Summit, which will take place on February 13 at Stanford University. This event was previewed in October, when the President launched the BuySecure Initiative, and it is the next step in the Administration’s ongoing work to build consumer confidence by enhancing public and private sector consumer financial protection efforts. The Summit will bring together major stakeholders on cybersecurity and consumer financial protection issues — including senior leaders from the White House and across the federal government, CEOs from a wide range of industries including the financial services industry, technology and communications companies, computer security companies and the retail industry, as well as state government leaders, law enforcement officials, consumer advocates, technical experts, and students. Topics at the Summit will include increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies.
We know that a robust cyber workforce is needed to ensure that we have enough trained professionals to meet the nation’s growing need for cyber defenders. Right now, there is a large and growing demand for these workers chasing a smaller supply. Acknowledging that this is a problem for everyone — the federal government, state and local governments, and the private sector — we have been working to develop a unity of effort to accelerate progress in this area. In this spirit, the Vice President will announce on Thursday that the Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 Historically Black Colleges and Universities and two national labs. This will build on our existing work under the National Initiative for Cybersecurity Education.
Collectively, this week’s announcements kick off a new year in which we intend to make real progress in improving the nation’s cybersecurity. These actions demonstrate that we are taking steps to mobilize every element of our nation to rise to the challenge. I look forward to continued progress across all our cybersecurity priority areas in the run up to the Cybersecurity Summit and beyond. Over the coming year, the Administration will continue to press forward doing everything it can to improve cybersecurity, both domestically and internationally. We know that legislation, education, and a summit by themselves won’t solve the cybersecurity problem. So the actions outlined above are just the start of our work in 2015 — we’ve got more to come.