Obama’s Cyber Proposals Sound Good, But Erode Information Security

If you cut through the spin, the plan from the president will encourage companies to spy on users and give them a pass for terrible security practices.

President Barack Obama delivers remarks at the National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Virginia on January 13, 2015. President Obama discussed efforts to improve the government?s ability to collaborate with industry to combat cyber threats. Photo Credit: Kristoffer Tripplaar/ Sipa USA *** Please Use Credit from Credit Field ***

The State of the Union address President Obama delivers tonight will include a slate of cyber proposals crafted to sound like timely government protections in an era beset by villainous hackers.

They would in theory help the government and private sector share hack data more effectively; increase penalties for the most troubling forms of hacking; and require better notification of people when their personal data has been stolen.

But if you cut through the spin, it turns out that the steps Obama is proposing would likely erode, rather than strengthen, information security for citizens and computer experts trying to protect them. Consider:

  • There’s plenty of sharing of data on cyber threats already and no reason to think that the Sony Pictures hack or any of the other major recent cyber attacks could have been averted with more. What Obama is proposing would, by contrast, give companies that have terrible security practices a pass in the form of liability protection from regulatory or civil action based on the information they disclose, while potentially allowing widespread distribution of personal data that should be private.
  • The increased penalties for hacking Obama is proposing could punish people who have only briefly rubbed shoulders with hackers as full-fledged members of a criminal enterprise, and criminalize “white-hat” hacking.
  • And Obama’s federal standards for when companies have to report that customers’ data has been stolen would actually overturn tougher standards in many states.

“There’s nothing that he would propose that would do anything to actually improve cybersecurity,” says Chris Soghoian, the principal technologist at the American Civil Liberties Union. “That’s a problem.”

Cybersecurity researcher Robert Graham wrote in his blog:

Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem….

This War on Hackers is likely to be no more effective than the War on Drugs.

The explanation for the mismatch between Obama administration goals and policy is, unfortunately, a familiar one: The pull of moneyed corporate interests.

“The reason why we don’t have any serious proposals on the table that would improve cybersecurity,” says Soghoian, “is because big companies don’t actually want to be held accountable.” And Obama “doesn’t want to take on big business.”

The Chamber of Commerce and National Retail Federation are among the biggest fans of the proposals. And that’s a feature, not a bug.

By offering liability protection in return for something companies are doing already, Obama is not only protecting them from consequences, he’s even encouraging companies to spy on users more than they do already, knowing they couldn’t get in trouble anymore.

Any proposal to, by contrast, set basic, minimal cybersecurity standards for consumer-facing businesses — with non-compliance opening the door to regulatory action or lawsuits — would be fought by an army of lobbyists. So it isn’t even on the table.

If Obama wants to address the problem behind the most notorious recent cyberhacks, he could call attention to what appears to have been their common problem, says Robyn Greene, policy counsel at New America’s Open Technology Institute.

The recent Sony Pictures breach and others were “the results of poor cyber hygiene; they weren’t the result of poor information sharing,” she says. “It would be really good if part of the debate about cybersecurity focused more on what are the easy and practical things that people and companies can do to enhance their cybersecurity.”

“When you’ve got an epidemic, the answer is you should be washing your hands every time you use the bathroom. It’s just not a sexy thing to say,” says Lee Tien, senior staff attorney at the Electronic Frontier Foundation.

“Is he going to tell everyone to update their web browser?” asks Soghoian. “It’s tough to make that a sexy political proposal.”

One source of particular concern among tech-savvy privacy advocates is that Obama’s proposal rewards companies for sharing user information with the Department of Homeland Security — and then allows DHS to share that information with other agencies, even for purposes unrelated to cybersecurity. That includes the NSA and other military agencies.

“We don’t want military and intelligence agencies to have information about American citizens that they just don’t need,” says Greene.

The concern extends to law enforcement agencies as well. “We’re concerned about widespread sharing that can be done as a backdoor to evade search warrants,” says Chris Calabrese, senior policy director at the Center for Democracy and Technology.

“If you limit the sharing to ‘it was this type of attack,’ ‘this is the new security loophole discovered’ and ‘here’s what they did to patch it’ — that sort of stuff — nobody’s really arguing about that,” Calabrese says. The concern is about “personally identifiable information of innocent people” such as those whose computers might have been hijacked.

But the privacy rules regarding Obama’s information-sharing proposal have been left for a future group of government officials to determine – a big deal, given that the liability provision would effectively trump existing privacy laws.

Meanwhile, Obama’s computer crime propsals are “the opposite” of what groups like the Electronic Frontier Foundation are advocating.

“The theme of the language is to increase penalties in a number of places without really clarifying the vagueness or uncertainty that has been problematic in prosecutions,” says Tien.

For instance, he says, when it comes to “hacking” material on public servers: “You’re at risk of being criminally prosecuted because someone can make an argument that you should have known that’s not what they wanted you to do even if they put it online in a way that anybody could get to it.”

Penalties under the Computer Fraud and Abuse Act are already draconian and redundant, Tien and colleague Mark Jaycox wrote in a recent blog post. And Obama’s more expansive definition of “exceeds authorized access” could lead to absurd situations, like major felony prosecutions “for sharing your HBO GO password.”

Obama’s proposal would also extend notoriously heavy-handed racketeering penalties to cybercrime, meaning people who are in some way associated with cybercriminals could be treated like members of a criminal enterprise.

“If I’m on a mailing list, is that an association?” asks Tien. “We are concerned that it’s very, very easy to associate with people anonymously or privately on the Internet. And if that association is treated as part of an enterprise, that’s potentially quite dangerous.”

That said, Obama’s cyber agenda has its good points, too.

“We’re happy he’s elevating the issues,” says Calabrese. “The attention on student privacy is a good thing. And we’re excited they are finally planning to release legislative language for the Consumer Privacy Bill of Rights. Hopefully it’s strong.”

But, he adds: “What’s not in here? There’s no discussion of the government. And you really can’t have any true fix for digital privacy without addressing the government’s collection of information.”

Photo: Kris Tripplaar/Sipa USA/AP

Join The Conversation