5 Flaws in Obama’s New Cybersecurity Plan

Digital-rights groups are skeptical of the proposal just announced by the president.

<a href="http://www.shutterstock.com/cat.mhtml?lang=en&language=en&ref_site=photo&search_source=search_form&version=llv1&anyorall=all&safesearch=1&use_local_boost=1&searchterm=cybersecurity&show_color_wheel=1&orient=&commercial_ok=&media_type=images&search_cat=&searchtermx=&photographer_name=&people_gender=&people_age=&people_ethnicity=&people_number=&color=&page=1&inline=180510311">Max-Studio</a>/Shutterstock


Following a string of high-profile corporate hacks at companies such as Target, Home Depot, and Sony, President Obama is now urging Congress to improve how companies respond to data breaches. He wants to require them to disclose consumer data breaches within 30 days of discovering them, make it easier for companies to share information about hacking threats with one another and the federal government, and criminalize the sale of botnets, programs used to coordinate attacks.

But while those may sound like good ideas, they’re not winning universal support from top digital rights groups. “President Obama’s cybersecurity legislative proposal recycles some old ideas that should remain where they’ve been since May 2011: on the shelf,” writes the Electronic Frontier Foundation (EFF).

Here are the top five concerns with Obama’s proposals:

1. They may allow companies to share your personal data with the NSA: Companies would receive legal immunity in connection with sharing information about threats with a cybersecurity center headed by the Department of Homeland Security, which could immediately pass it along to the National Security Agency and other federal agencies. The proposed disclosure law, which would trump other state or federal data-privacy laws, would require companies to take unspecified “reasonable” steps to strip information that could identify a specific person before sharing it, but only for individuals “reasonably believed to be unrelated to the cyber threat.”  

2. Private companies and the government already share information about security threats: The sharing happens through the nonprofit Information Sharing and Analysis Centers and Homeland’s Enhanced Cybersecurity Services. “The question is what gap this bill is trying to fill when we already have a robust information sharing machine,” says EFF legislative analyst Mark Jaycox.

3. The reforms would increase penalties under the draconian Computer Fraud and Abuse Act: The notoriously broad and stringent CFAA is best known as the tool used by the feds to prosecute digital rights activist Aaron Swartz, who killed himself in 2013 while facing 35 years in jail and $1 million in fines in connection with downloading copyrighted scientific articles. “We’ve repeatedly seen government prosecutions that use the CFAA’s tough penalties to bully people,” says Jaycox. In a press release, the White House says it wants to ensure the act isn’t used to target “insignificant conduct.” But a close reading of its proposed reforms appears to tell a different story: One provision increases the penalty for stealing data from any “protected computer” from one year to three, even if it wasn’t done for commercial gain.

4. They supersede state laws: The White House’s consumer data breach law would supersede at least 38 state data-breach laws, some of which are more stringent than the proposed federal standard. The law proposed by the White House would apply only to businesses that store information on more than 10,000 individuals, but California, Florida and some other states have disclosure laws that apply to any company that experiences a data breach affecting more than 500 people. “Any such proposal should not become a back door for weakening transparency or state power,” the EFF said in a statement, “including the power of state attorneys general and other nonfederal authorities to enforce breach notification laws.”

5. They could limit online civil disobedience: There are plenty of legitimate reasons to curtail the sale of botnets, but they’ve also been used by activists to carry out distributed denial of service (DDOS) attacks against repressive governments and corporate ne’er-do-wells. Last year, the hactivist collective Anonymous posted a petition on Whitehouse.gov asking that DDOS attacks be recognized as a legal form of protest similar to the Occupy protests. Under the CFAA, carrying out a DDOS attack can already land you in jail for many years, but now the White House wants to further clamp down on the practice by specifically allowing the Attorney General to go after botnets that help enable them.