Obama again proposes cybersecurity rules for consumers, businesses
Companies that suffer data breaches from hackers would have to abide by a national standard for alerting consumers whose information was stolen under proposed legislation that President Obama announced Tuesday.
They would be encouraged to work more closely with the government and each other to share information and prevent attacks, the president said in a visit to the Department of Homeland Security.
“Foreign governments, criminals and hackers probe America’s computer networks every single day,” Obama said.
“We’ve got to stay ahead of those who would do us harm,” he added. “The problem is that government and the private sector are still not always working as closely together as we should. Sometimes it’s still too hard for government to share threat information with companies.”
The White House laid out Obama’s proposal for dealing with cyber crimes as he visited the National Cybersecurity and Communications Integration Center in Arlington, Va. The center watches for breaches around the clock, and it’s where companies are encouraged to report breaches when they occur.
The president is making cybersecurity a major theme this week as he prepares to make his annual State of the Union speech to members of Congress.
That focus suffered a setback Monday when hackers identifying themselves with the Islamic State, or ISIS, breached Central Command’s social media sites. The Twitter and YouTube pages were later restored.
In one posting, hackers shared publicly available names and contact information for military leaders and retired generals. CentCOM said it was notifying victims.
Each state sets rules for cyber breaches. Alabama, New Mexico and South Dakota have no rules.
The process can be confusing and complicated for companies and victims, experts told the Tribune-Review.
“It’s a big hassle,” said David Ries, a lawyer at Clark Hill, a Detroit-based law firm with offices in Pittsburgh from its merger-acquisition of the former Thorp Reed & Armstrong. “It’s a really good idea, and if Congress can agree on what it should be, and it would pre-empt existing state law, that would be good for business.”
But crafting a national standard that everyone wants will not be easy, said Roberta Anderson, a lawyer at K&L Gates, an international law firm based in Pittsburgh. The president’s other attempts failed.
“It’s the Rubik’s Cube minefield of privacy legislation,” Anderson said. “If Obama’s new proposed legislation … doesn’t pre-empt state law, it’s potentially adding more confusion.”
Obama’s legislation would protect companies from lawsuits and regulatory oversight when they share information about breaches.
It would give courts broader authority to shut down networks of compromised computers that are used to initiate attacks while outlawing the sale of so-called botnets and stolen financial information, including credit card numbers.
Obama pitched a cybersecurity law in 2011 with similar proposals that Congress did not enact. He said he has talked with House Speaker John Boehner, R-Ohio, and Senate Majority Leader Mitch McConnell, R-Ky., about the need for cybersecurity legislation.
“I think we agree that this is an area where we can work hard together and get some legislation done, and make sure that we are much more effective in protecting the American people from these kinds of cyber attacks,” Obama said.
Consumer groups and some state attorneys general have opposed a national breach reporting standard because it would weaken standards in some states, Ries said. Companies that operate nationwide typically abide by the strictest requirements. Corporate executives, meanwhile, have opposed a national standard that would leave intact stricter, varying state laws in places such as California, Massachusetts and New York.
“For businesses, it’s obviously easier to have a national standard if it pre-empts state laws,” Ries said. “If states can have more stringent laws, it doesn’t help.”
The White House said it plans to hold a Summit on Cybersecurity and Consumer Protection on Feb. 13 at Stanford University. Separately, the Department of Energy will make $25 million in grants over five years to historically black universities for cybersecurity training.
The CentCOM incident and a December attack on Sony Entertainment that the president blamed on North Korea “show how much more work we need to do,” Obama said.
Andrew Conte is a Trib Total Media staff writer. Reach him at 412-320-7835 or [email protected].