5 Flaws in Obama’s New Cybersecurity Plan

Digital-rights groups are skeptical of the proposal just announced by the president.

<a href="http://www.shutterstock.com/cat.mhtml?lang=en&language=en&ref_site=photo&search_source=search_form&version=llv1&anyorall=all&safesearch=1&use_local_boost=1&searchterm=cybersecurity&show_color_wheel=1&orient=&commercial_ok=&media_type=images&search_cat=&searchtermx=&photographer_name=&people_gender=&people_age=&people_ethnicity=&people_number=&color=&page=1&inline=180510311">Max-Studio</a>/Shutterstock

Following a string of high-profile corporate hacks at companies such as Target, Home Depot, and Sony, President Obama is now urging Congress to improve how companies respond to data breaches. He wants to require them to disclose consumer data breaches within 30 days of discovering them, make it easier for companies to share information about hacking threats with one another and the federal government, and criminalize the sale of botnets, programs used to coordinate attacks.

But while those may sound like good ideas, they’re not winning universal support from top digital rights groups. “President Obama’s cybersecurity legislative proposal recycles some old ideas that should remain where they’ve been since May 2011: on the shelf,” writes the Electronic Frontier Foundation (EFF).

Here are the top five concerns with Obama’s proposals:

1. They may allow companies to share your personal data with the NSA: Companies would receive legal immunity in connection with sharing information about threats with a cybersecurity center headed by the Department of Homeland Security, which could immediately pass it along to the National Security Agency and other federal agencies. The proposed disclosure law, which would trump other state or federal data-privacy laws, would require companies to take unspecified “reasonable” steps to strip information that could identify a specific person before sharing it, but only for individuals “reasonably believed to be unrelated to the cyber threat.”  

2. Private companies and the government already share information about security threats: The sharing happens through the nonprofit Information Sharing and Analysis Centers and Homeland’s Enhanced Cybersecurity Services. “The question is what gap this bill is trying to fill when we already have a robust information sharing machine,” says EFF legislative analyst Mark Jaycox.

3. The reforms would increase penalties under the draconian Computer Fraud and Abuse Act: The notoriously broad and stringent CFAA is best known as the tool used by the feds to prosecute digital rights activist Aaron Swartz, who killed himself in 2013 while facing 35 years in jail and $1 million in fines in connection with downloading copyrighted scientific articles. “We’ve repeatedly seen government prosecutions that use the CFAA’s tough penalties to bully people,” says Jaycox. In a press release, the White House says it wants to ensure the act isn’t used to target “insignificant conduct.” But a close reading of its proposed reforms appears to tell a different story: One provision increases the penalty for stealing data from any “protected computer” from one year to three, even if it wasn’t done for commercial gain.

4. They supersede state laws: The White House’s consumer data breach law would supersede at least 38 state data-breach laws, some of which are more stringent than the proposed federal standard. The law proposed by the White House would apply only to businesses that store information on more than 10,000 individuals, but California, Florida and some other states have disclosure laws that apply to any company that experiences a data breach affecting more than 500 people. “Any such proposal should not become a back door for weakening transparency or state power,” the EFF said in a statement, “including the power of state attorneys general and other nonfederal authorities to enforce breach notification laws.”

5. They could limit online civil disobedience: There are plenty of legitimate reasons to curtail the sale of botnets, but they’ve also been used by activists to carry out distributed denial of service (DDOS) attacks against repressive governments and corporate ne’er-do-wells. Last year, the hactivist collective Anonymous posted a petition on Whitehouse.gov asking that DDOS attacks be recognized as a legal form of protest similar to the Occupy protests. Under the CFAA, carrying out a DDOS attack can already land you in jail for many years, but now the White House wants to further clamp down on the practice by specifically allowing the Attorney General to go after botnets that help enable them.


The more we thought about how MoJo's journalism can have the most impact heading into the 2020 election, the more we realized that so many of today's stories come down to corruption: democracy and the rule of law being undermined by the wealthy and powerful for their own gain.

So we're launching a new Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption. We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We'll publish what we find as a major series in the summer of 2020, including a special issue of our magazine, a dedicated online portal, and video and podcast series so it doesn't get lost in the daily deluge of breaking news.

It's unlike anything we've done before and we've got seed funding to get started, but we're asking readers to help crowdfund this new beat with an additional $500,000 so we can go even bigger. You can read why we're taking this approach and what we want to accomplish in "Corruption Isn't Just Another Scandal. It's the Rot Beneath All of Them," and if you like how it sounds, please help fund it with a tax-deductible donation today.

We Recommend


Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.


Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.