The major holdup to passing new cyber legislation remains liability protections for breached companies that share intelligence with the government.
After a week of cybersecurity-related congressional proposals, speeches and global talks, President Barack Obama's one-paragraph mention of cyber in the State of the Union address may have seemed a bit anticlimactic.
But some Capitol Hill denizens expect Obama's 14-page legislative offer to speak for itself.
"It was a little disappointing that he didn't place much emphasis in the speech. There was so much buildup," said Alex Manning, staff director for the House Homeland Security Committee cybersecurity panel last Congress. "Despite the fact that he didn’t talk about it much in the State of the Union, I think there’s a lot of momentum that you’ll see for action in Congress."
The legislative proposal Obama unveiled last week includes, among other things, a mandatory 30-day deadline for hacked companies to notify customers and liability protections for firms that share data about internal breaches with the government.
The major holdup to passing legislation that would, in the president's words tonight, make sure "our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism" are those liability protections for victimized companies that share intelligence. Information sharing can evoke warnings by National Security Agency leaker Edward Snowden about NSA domestic data sweeps.
Manning, now the senior government relations director at legal and lobbying group Arent Fox, does not see the president’s suggested text going into law as written, but said: "It’s a good starting point, a good reference point. It‘s well thought out."
He added, "It’s all going to come down to: Where do the liability protections kick in?"
Obama's proposal would shield companies that share information -- cleansed of identifying information -- with the Department of Homeland Security or an industry information-sharing organization. Another legislative option, called the Cyber Intelligence Sharing and Protection Act, or CISPA, which the House passed in 2013, would let the intelligence community, including NSA view the information.
"When you say ‘information sharing,’ people immediately think [Edward] Snowden and they think NSA," Manning said. However, “when it comes to cybersecurity information, most of this is ones and zeros: What computer IP addresses are sending malicious software?"
Proposing to share data about personal communications opens up a larger debate about who is making sure the company does, in fact, strip out identifying information.
Within the next month, several congressional committees are expected to introduce legislation that speaks to Obama's proposal, in some shape or form.
"We've got the legislation process to go through," Manning said. "Hopefully, we’re able to come to an accommodation that works for everyone."
The top Democrat on the Senate committee that oversees homeland security appeared willing to compromise.
"It is essential that any information-sharing bill strike an appropriate balance between the ability to share necessary data and to protect privacy and civil liberties," Sen. Tom Carper, D-Del., ranking member of the Homeland Security and Governmental Affairs Committee, said in a statement Tuesday night. "I am committed to continuing to work with my colleagues on both sides of the aisle, the administration and stakeholders to get to work on information-sharing legislation as soon as possible.”
Still, some civil liberties activists say Obama's plan, while less invasive than CISPA, does not cement key privacy protections into law.
"The White House proposal relies heavily on privacy guidelines and use restrictions that are currently unwritten, leaving unanswered questions about their effectiveness," Center for Democracy and Technology fellow Jake Laperruque said in a Jan. 16 blog post. "These privacy protections – destruction of irrelevant information, anonymizing information retained, and penalties for privacy violations – have yet to be developed. . . it means, in practice, the White House proposal could be an inch or a mile from CISPA in protecting Americans’ communications."