President calls for more cybersecurity information sharing

President Obama urges companies to share information about cyberattacks

Credit: flickr/Steve Jurvetson

President Barack Obama followed up Monday's speech about data breach notification with another speech Tuesday encouraging companies to share information about cyberattacks.

In an address to the National Cybersecurity and Communications Integration Center (NCCIC) he proposed legislation that offers liability protection to companies that share information.

Previously, such legislation had stalled due to privacy concerns, but the current proposal requires companies to remove "unnecessary personal information" before sharing.

The proposed legislation also contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen personal financial information, and would give courts the authority to shut down criminal botnets.

"We want to be able to better prosecute those who are involved in cyber attacks, those who are involved in the sale of cyber weapons like botnets and spyware," he said. "We want to ensure that we’re able to prosecute insiders who steal corporate secrets or individuals’ private information."

Privacy groups met this latest proposal with a great deal of skepticism.

"Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act ... are both unnecessary and unwelcome," said the Electronic Frontier Foundation in a statement.

"Expanded information sharing poses a serious risk of transferring more personal information to intelligence and law enforcement agencies," the organization added.

Security experts also reacted to the information sharing aspects of this proposal with some criticism.

"There is no guarantee the concept will be met with open arms," said Dodi Glenn, senior director of security intelligence and research labs at Clearwater, FL-based ThreatTrack Security, Inc. "I have personally been involved in operations where the very second a private company mentions involving the U.S. government, other participating companies become hesitant to continue to share data."

According to Glenn, there is a clear trust issue between the government, the private sector, and the public. Allegations of domestic spying, for example, have damaged the government's credibility on this issue.

"It is critical that the government not overreach in any information sharing program, and that they work with the private sector as a true partner," he said.

"The industry has proven that sharing information is not something the industry does just because someone says it’s a good thing to do," said Tsion Gonen, chief strategy officer at Amsterdam-based security firm Gemalto.

The proposed legislation leaves some important questions unanswered, said Carl Wright, general manager at San Mateo, CA-based security firm TrapX.

Take, for example, the requirement to remove unnecessary personal information.

"What is the definition of 'unnecessary'?" he asked. "Who is responsible for making such decisions?"

Similarly, he said, liability protection sounds like an unfunded mandate on the cyber insurance industry, which is still in its infancy.

Even harsher penalties for cybercrimes did not meet with uniform support from cybersecurity professionals.

The current Computer Fraud and Abuse Act is already too broad, said Ian Amit, vice cresident at Baltimore-based security firm ZeroFOX.

"It has been notoriously criticized in several high-profile cases for being used to indict people whose action would [normally] not have even been classified as a misdemeanor," he said.

Under the proposed law, violations no longer start at a misdemeanor but as felonies, he added, and while the law is still too vague it also does not address the landscape of modern cybercrime.

"If it were left to a professional legal review from security industry professionals I believe that it would not see the light of day in its current form," he said. "But as we are all aware, the legislative process is subject to non-security industry forces.”

Other security experts, however, saw the proposed legislation as an important first step towards addressing the evolving nature of cyberthreats.

"While this legislation probably doesn't go far enough, I think merely introducing it is a step in the right direction," said Sanjay Beri, CEO and co-founder at Los Altos, CA-based cloud security vendor Netskope. "We need to have this discussion and get serious about cybersecurity across all types of companies."

Beri added that he's not convinced that the new legislation will help prevent breaches.

"But I am 100 percent convinced that there will be more data breaches and sitting on our hands and not having this discussion won't prevent them either," he said. "Also, this needs to be a two way street. Governments need to ramp up sharing data they gather to vendors and enterprises in an easy way."

According to Mary Ann Miller, senior director at New York City, NY-based NICE Actimize Inc., the proposed legislation is an "outstanding first step."

"Any initiative that creates a better environment for open discussions of critical issues ... is only a win for the good guys," she said. "Passing this bill is critical to the environment we are living in 2015, I do not know a business, consumer or security expert who would beg opposition."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.