Obama Thinks Cyberthreat Sharing is Ready for Comeback

The Obama administration plans to revise a 2011 legislative proposal for collecting information from hacked companies and sharing it across industry. The rewrite aims to alleviate privacy concerns. 

The move follows incessant cyberassaults against banks, energy companies and other critical sectors.

The original legislation lost steam after revelations of domestic spying and industry concerns about being held liable for shoddy security. While the forthcoming language focuses on data gathering, federal officials acknowledged they can do better at holding up their end of the bargain -- sharing useful government intelligence with companies.

Obama unveiled the initiative a day after proposing a nationwide statute that would compel companies whose customer information is hacked to notify affected individuals within 30 days.

The president this week is also expected to announce a Feb. 13 White House cybersecurity summit hosted, not at 1600 Pennsylvania Ave., but at Stanford University, with a focus on public-private partnerships. And the administration will make available financial grants for students at historically black colleges who pursue cybersecurity studies.

All these efforts are a reaction to a growing hacker threat the nation's government, private sector and cyber pros are still struggling to reign in.

Under the new information-sharing bill, the shared data would end up at the National Cybersecurity Communications and Integration Center, a 24/7 information-sharing facility managed by the Department of Homeland Security. Obama visited the facility Tuesday afternoon to debut the legislative proposal.

"This is a matter of public safety, of public health and most of this infrastructure is owned and operated by the private sector,” he said. “So neither government nor the private sector can defend the nation alone. It's going to have to be a shared mission."

There is much greater support for information-sharing legislation today than in 2011. But it remains unclear whether Republicans, businesses and civil liberties advocates will agree to the administration’s terms.

Sen. Ron Johnson, R-Wisc., chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement, "I look forward to working with the White House and other committees of jurisdiction to make information-sharing a reality.”

His House counterpart, Rep. Michael McCaul, R-Texas, chairman of the Homeland Security Committee, chastised Obama for waiting for "an attack on Hollywood" -- a reference to the breach of Sony computer systems -- to re-engage Congress on cybersecurity, but said he welcomed his participation in the conversation.

"My committee is currently working on cybersecurity legislation to remove any unnecessary legal barriers for the private sector to share cyber threat information," he said.

McCaul plans to review the president's proposal in detail.

On Tuesday, a senior administration official told reporters legislation is necessary to make it easier for threat data from companies to flow back to the government.  

“The president can direct much more information flow out of the government” without new legislation, the official said.

A two-way exchange ideally could swiftly generate, in essence, “a weather map for cyberspace,” so security analysts “have some visibility into what is happening in cyberspace writ broadly,” the official said.

Under a March 2013 executive order issued after Obama’s initial legislation faltered, federal agencies were expected to share tips with the private sector when a danger to a company became apparent. But some firms say they are not receiving practical details.

“A piece of this is making sure that we are pushing out this information that is actually actionable so that companies can actually do something,” the official said.

To deal with privacy and liability issues, the proposal would restrict the types of information that will be amassed and restricts how that information will be used.

The “indicators” of an attack the government accumulates would be limited to electronic routing information, such as dates, time stamps and IP addresses. The data would be analyzed to investigate cybercrimes, hazards to minors and threats to bodily harm.  

The information collected would not be used to penalize companies for privacy breaches, according to the administration.

“As long as companies take reasonable steps to remove irrelevant personally identifiable information from that sharing” and comply with other forthcoming guidelines, companies will not be held liable, the official said.

Obama holds the view that under his watch, the nation is now more prepared for cyberattacks, but adversaries are more determined to foil those preparations.  

"We've got to stay ahead of those who would do us harm,” he said. “The problem is that government and the private sector are still not always working as closely together as we should. Sometimes, it's still too hard for government to share threat information with companies" and vice versa.