Export Compliance Daily is a Warren News publication.
Executive Order Anticipated

White House Advances 2015 Cybersecurity Proposals

The White House advanced new proposals on cybersecurity Tuesday ahead of President Barack Obama’s Jan. 20 State of the Union speech, releasing further details about legislative proposals on information sharing, cybercrime and grants for cybersecurity education at historically black colleges. The set of proposals partially mirrors aspects of the White House’s May 2011 cybersecurity legislative proposals. Obama plans to make cybersecurity a major focus in his State of the Union speech, as he has in previous years.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Obama said during a speech Tuesday at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that he's proposing that the department collaborate with the private sector to expand the U.S. information-sharing apparatus and give liability protections to companies that provide cyberthreat indicators to federal agencies, as industry executives had anticipated (see 1501120045). Obama is expected to issue an executive order in the coming weeks to direct DHS’ information-sharing efforts, which will be followed by legislation that would codify the executive order. Industry executives have told us that DHS action will begin with a request for proposals to create a private sector entity to develop best practices on information sharing.

The White House proposed legislation that would allow improved cybercrime prosecution, including allowing courts to shut down botnets, allow prosecution of the sale of botnets, criminalize the overseas sale of stolen U.S. financial information and expand law enforcement agencies’ authority to deter the sale of spyware used for stalking and ID theft. The White House also repeated its earlier support for a national data breach reporting law, which Obama discussed Monday and prompted Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., to announce their planned reintroduction of the Personal Data Protection and Breach Accountability Act (see 1501120043).

Cybersecurity “is an area where we can work hard together and get some legislation done,” Obama told House and Senate leaders Tuesday. The ISIS terrorist group’s Monday hacking of U.S. Central Command’s social media accounts and the recent Sony data breach “show how much more work we need to do, both public and private sector, to strengthen our cybersecurity,” Obama said.

The White House said it will host a cybersecurity and consumer protection summit at Stanford University Feb. 13 that will focus on improved information sharing and cybersecurity practices, public-private partnerships and secure payment technologies. Vice President Joe Biden will announce Thursday that the Department of Energy will issue $25 million in grants over the next five years to a cybersecurity education consortium of 13 historically black colleges and two national labs.

The White House’s DHS-centric information-sharing proposal is an “alternative way to increase information sharing without bringing up a lot of the privacy issues” involving the controversial Cyber Intelligence Sharing and Protection Act (CISPA), said Arent Fox Senior Government Relations Director Alex Manning, former staff director for the House Homeland Security Committee’s Cybersecurity Subcommittee. Rep. Dutch Ruppersberger, D-Md., reintroduced CISPA (HR-234) Friday (see 1501090035). The White House proposal indicates the administration wants to continue to “work within existing privacy laws” by requiring companies to “scrub” personal information from cyberthreat information they share with the government, though full details on that proposal aren’t likely to surface until after the State of the Union speech, Manning told us. “They’re definitely siding more on the privacy groups’ end of things.”

Several privacy groups criticized the White House Tuesday for not going far enough on privacy protections in its cybersecurity proposals. The White House’s information sharing proposal “protects the rights of Internet users more than CISPA” but also allows companies to share user information with DHS “regardless of any privacy law, and allows Homeland to share that information with other law enforcement agencies for purposes unrelated to cybersecurity,” Center for Democracy & Technology Senior Counsel Harley Geiger said in a statement. The Electronic Frontier Foundation is “concerned that the Administration proposal will unintentionally legitimize the approach” taken by CISPA, Policy Analyst Mark Jaycox and Senior Staff Attorney Lee Tien said in a blog post. “Instead of proposing unnecessary computer security information sharing bills, we should tackle the low-hanging fruit” like strengthening existing information-sharing entities and encouraging the private sector to use those entities, they said.

Many people on Capitol Hill and within the private sector are “holding their fire until they see more details on these proposals because the devil is really going to be in the details,” Manning said. The proposal for a DHS-private sector partnership on information sharing “seems like a very convoluted system,” he said. “What’s unclear to me is how much buy-in they’re going to get from the rest of industry and whether they’ll try to make the best practices that group comes up with into something mandatory.”