In his State of the Union address Tuesday night, President Barack Obama is expected to focus on several new cyber-security and privacy proposals recently announced by the White House.
Building on talks last week with his British counterpart David Cameron, President Obama is expected to spend time telling Congress his views on a number of Internet-related topics, including measures to broaden high-speed web access, tighten cyber-security protections and bolster consumer privacy.
Presidents often use the annual address to highlight their priorities and call for Congressional action.
But already opposition is building.
Some security analysts and privacy advocates are raising concerns about the White House’s proposals - in some cases for not doing enough, and in others of making things worse.
Making the case
In a White House meeting with Congressional leaders in recent days, President Obama said strengthening cyber-security in the U.S. is an issue that both parties could agree on.
The recent attack at Sony pictures and last week’s hack of a Pentagon twitter feed by supporters of the Islamic State group, he said, underscored the need to strengthen the nation’s Internet defenses.
“It just goes to show how much more work we need to do, both public and private sector,” he told members of Congress, “to strengthen our cyber-security, to make sure family’s bank accounts are safe, to make sure that our public infrastructure’s safe.”
Unlike many other nations, most of the digital networks in the U.S. are privately owned and operated.
While U.S. government computer systems are generally well-protected, journalist and author Shane Harris said the same cannot be said of many private and corporate networks.
Private networks, he said, handle all kinds of data – from banking and credit records to private email communications, to control of the nation’s electric grid.
Hackers have become increasingly adept at breaking into these private systems and creating all sorts of havoc, Harris said, largely because there is almost no federal oversight or regulation of the web.
“It’s not easy for them to simply go in and say ‘you will do this or else,’” Harris said. “We don’t regulate Internet security the way we do, say, chemical plants and food production facilities. We just don’t do that – we might, but we’re not doing that now.”
Encouraging information sharing
The White House has introduced three separate measures to combat cyber-crime and strengthen privacy.
The first, the Personal Data Protection and Notification Act, would require companies that handle data to alert customers if any of their private information had been compromised or stolen by hackers within 30 days.
Of the three proposals, this first one is proving to be the least controversial and has already won strong backing by many retailers, ISPs, and other data companies.
Denise Zheng, a senior fellow at the Center for Strategic and International Studies, said that’s because companies are already dealing with a costly and cumbersome patchwork of similar laws in different states.
“There are currently 47 different states that have data breach notification laws already on the books,” she said in an interview. “What this bill would do is actually create some more regulatory certainty and a standard across the country.”
Another proposal, called the Student Digital Privacy Act, would ban companies from using or selling private information about students collected while they were using school-provided computers, tablets or laptops.
The last proposal would encourage private corporations to voluntarily share certain types of information with each other and with the federal Department of Homeland Security.
Those types of information include cyber-threats, technical vulnerabilities, and what’s called “malicious reconnaissance” – meaning unauthorized spying into computer system defenses.
In exchange for participating, companies would be partially shielded by the government from lawsuits related to security breaches or privacy complaints.
Harley Geiger, a senior council at the Center for Democracy and Technology, said this measure could actually erode some consumer privacy protections already on the books while taking away individuals’ access to the courts.
“The White House proposal allows companies to share user information with the Department of Homeland Security regardless of any privacy law, and allows Homeland to share that information with other law enforcement agencies for purposes unrelated to cybersecurity,” he said.
White House plans
Although not a specific proposed act, the White House is also calling for a sweeping overhaul of the Computer Fraud and Abuse Act, or CFAA.
Passed in 1984 and still the basis for much U.S. cyber-hacking law, the CFAA criminalizes a wide range of hacking-related behavior as a misdemeanor. Among other changes, the President’s proposal would escalate those to felonies.
Geiger calls the CFAA a flawed and outdated law, written at a time when hacking was very different, he said, and employing language that’s far too vague 30 years later.
That’s a concern shared by cyber-security professional Mark Kraynak, chief product officer at the network and data-center security firm Imperva.
Kraynak said the CFAA criminalizes many of the wrong sorts of acts – such as sharing information about network weaknesses or releasing hacking code. Many of these techniques are currently used expressly to strengthen cyber-security.
“Punishing companies for data breaches is like fining those injured by random gunshots for not wearing a bullet-proof vest as a measure to reduce casualties of gang shooting,” he wrote at his company’s blog.
“The current proposal from the White House only addresses the administrative aspects of cyber-crime enforcement…clarifying what is illegal, etc.,” he wrote. “But, importantly, it seems to do nothing actually to improve law enforcement cyber capabilities.”
While the Sony hack may be on some people’s minds, the Obama Administration’s renewed focus on cyber-issues also comes in the wake of a series of leaks and revelations about covert data monitoring and surveillance programs run by the NSA.
President Obama acknowledges that privacy is a big concern for many people, and the Snowden leaks have only amplified that.
Speaking Friday at a joint news conference with British Prime Minister Cameron, President Obama called cyber-space a “whole new world,” and emphasized the U.S. government was working on ways to balance privacy concerns, but also give law enforcement the means to stop terror plots.
“Those who are worried about Big Brother sometimes obscure or deliberately ignore all the legal safeguards put into place,” he said, adding that he wanted to make sure people don’t feel their government is “fishing around…on your smart phone.”
So far, congressional leaders have been mostly silent about whether they would support or oppose the President’s initiatives.
During the last session of Congress, the House passed the Cyber Intelligence Sharing and Protection Act, or CISPA for short, but that measure came under harsh criticism by civil liberties and privacy advocates and died in the Senate.
It’s unclear how much pressure lawmakers will feel from the public to pass these measures. But author Harris said President Obama’s reference to protecting family bank accounts may, in fact, be the proposals’ best selling point.
“We talk a lot about credit card information being stolen and it’s very easy to get your credit card replaced, but what happens if somebody hacks your checking account and you wake up one morning and your balance is zero?” he asked. “If something like that were to start to happen, and that’s something that’s happened to corporations in this country, then you’re going to see a level of public concern and alarm over this that could be very destabilizing.”
The White House will host a cyber-security summit at Stanford University next month. Participants are expected to focus on issues of consumer financial protection, building public-private partnerships, and developing and sharing best practices for strengthening cyber-security.