Obama again proposes cybersecurity rules for consumers, businesses |

Obama again proposes cybersecurity rules for consumers, businesses

President Barack Obama speaks at the Federal Trade Commission (FTC) offices at the Constitution Center in Washington, Monday, Jan. 12, 2015, about his plan to improve confidence in technology by tackling identify theft and improving consumer and student privacy.
President Obama renewed his call for Congress to pass cybersecurity legislation during a visit Tuesday, Jan. 13, 2015, to the National Cybersecurity and Communications Integration Center.

Companies that suffer data breaches from hackers would have to abide by a national standard for alerting consumers whose information was stolen under proposed legislation that President Obama announced Tuesday.

They would be encouraged to work more closely with the government and each other to share information and prevent attacks, the president said in a visit to the Department of Homeland Security.

“Foreign governments, criminals and hackers probe America’s computer networks every single day,” Obama said.

“We’ve got to stay ahead of those who would do us harm,” he added. “The problem is that government and the private sector are still not always working as closely together as we should. Sometimes it’s still too hard for government to share threat information with companies.”

The White House laid out Obama’s proposal for dealing with cyber crimes as he visited the National Cybersecurity and Communications Integration Center in Arlington, Va. The center watches for breaches around the clock, and it’s where companies are encouraged to report breaches when they occur.

The president is making cybersecurity a major theme this week as he prepares to make his annual State of the Union speech to members of Congress.

That focus suffered a setback Monday when hackers identifying themselves with the Islamic State, or ISIS, breached Central Command’s social media sites. The Twitter and YouTube pages were later restored.

In one posting, hackers shared publicly available names and contact information for military leaders and retired generals. CentCOM said it was notifying victims.

Each state sets rules for cyber breaches. Alabama, New Mexico and South Dakota have no rules.

The process can be confusing and complicated for companies and victims, experts told the Tribune-Review.

“It’s a big hassle,” said David Ries, a lawyer at Clark Hill, a Detroit-based law firm with offices in Pittsburgh from its merger-acquisition of the former Thorp Reed & Armstrong. “It’s a really good idea, and if Congress can agree on what it should be, and it would pre-empt existing state law, that would be good for business.”

But crafting a national standard that everyone wants will not be easy, said Roberta Anderson, a lawyer at K&L Gates, an international law firm based in Pittsburgh. The president’s other attempts failed.

“It’s the Rubik’s Cube minefield of privacy legislation,” Anderson said. “If Obama’s new proposed legislation … doesn’t pre-empt state law, it’s potentially adding more confusion.”

Obama’s legislation would protect companies from lawsuits and regulatory oversight when they share information about breaches.

It would give courts broader authority to shut down networks of compromised computers that are used to initiate attacks while outlawing the sale of so-called botnets and stolen financial information, including credit card numbers.

Obama pitched a cybersecurity law in 2011 with similar proposals that Congress did not enact. He said he has talked with House Speaker John Boehner, R-Ohio, and Senate Majority Leader Mitch McConnell, R-Ky., about the need for cybersecurity legislation.

“I think we agree that this is an area where we can work hard together and get some legislation done, and make sure that we are much more effective in protecting the American people from these kinds of cyber attacks,” Obama said.

Consumer groups and some state attorneys general have opposed a national breach reporting standard because it would weaken standards in some states, Ries said. Companies that operate nationwide typically abide by the strictest requirements. Corporate executives, meanwhile, have opposed a national standard that would leave intact stricter, varying state laws in places such as California, Massachusetts and New York.

“For businesses, it’s obviously easier to have a national standard if it pre-empts state laws,” Ries said. “If states can have more stringent laws, it doesn’t help.”

The White House said it plans to hold a Summit on Cybersecurity and Consumer Protection on Feb. 13 at Stanford University. Separately, the Department of Energy will make $25 million in grants over five years to historically black universities for cybersecurity training.

The CentCOM incident and a December attack on Sony Entertainment that the president blamed on North Korea “show how much more work we need to do,” Obama said.

Andrew Conte is a Trib Total Media staff writer. Reach him at 412-320-7835 or [email protected].

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.