President Barak Obama used his State of the Union address last week to beat an old drum—the pressing need for cybersecurity. As a two-time champion of measures to reform online safety practices, the president aimed to use recent security breaches as the vehicle to launch yet another bid.
“I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information,” stated Obama in his speech on January 20. “If we don’t act, we’ll leave our nation and our economy vulnerable, if we do, we can continue to protect the technologies that have unleashed untold opportunities around the globe.”
The president proposed legislation that would collect reports of cyberattacks into a central repository, introduce new penalties for cybercriminals, and streamline the ways in which businesses and the government work together to prevent breaches. The proposal was met with widespread support from both Congress and industry experts.
A high-profile breach of Sony Pictures—which nearly sparked an international incident—and hacker attacks on Target, Staples, Home Depot, and JPMorgan Chase are among the many recent events that sparked the need to take action. But while those issues have brought the matter to the public’s attention, the debate over how to address cybersecurity is nothing new.
Lawmakers have attempted to introduce cybersecurity bills for many years, but opposition from industry and civil rights groups have often thwarted the initiatives. President Obama himself has led a number of efforts to prepare the country for increasing cyber threats and crimes.
He released the Cyberspace Policy Review, a national strategy related to the information and communication networks, in 2009. Two years later he issued legislative proposal that called on Congress to provide government and the private sector with the tools they needed to combat cyberthreats at home and abroad. His proposal failed to get congressional approval.
Although the president is a staunch supporter of taking some sort of action on cyberthreat, he’s been sensitive to privacy concerns. In 2012, when the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), the White House threatened to veto the measure, saying that the bill put Americans’ privacy at risk and was to lenient on companies that failed to secure their computer networks.
Civil liberties and Internet freedom groups agreed, characterizing the controversial bill— which would have allowed private entities to share user information with government intelligence agencies—as the digital equivalent of the Patriot Act.
“It allows private Internet communications and information of American citizens to go directly to the [National Security Agency],” Leslie Harris, president of the Center for Democracy and Technology, said in a statement. “Once that private information is in the hands of the military, it can be used for purposes completely unrelated to cybersecurity.”
Rep. Jared Polis (D-Colo.) took a similar stance during a May 2012 debate on the house floor.
“Allowing the military and NSA to spy on Americans on American soil goes against every principle this country was founded on,” he was quoted as saying by the Toronto Standard.
Although CISPA did not make it out of the Senate that year, it was reintroduced in 2013. While the House again supported it, it wasn’t considered by the Senate and once again died. A newer version of the bill (unrelated to the president's proposal) was introduced in the house in early January.
Obama’s most recent proposal isn’t much better than CISPA, though, according to some advocacy groups. They criticize the effort as being too similar in information sharing aspects and still not tough enough on private entities that fail to protect consumer information.
“Instead of proposing unnecessary computer security information sharing bills, we should tackle the low-hanging fruit,” the digital rights group The Electronic Frontier Foundation writes in a statement. “This includes strengthening the current information sharing hubs and encouraging companies to use them immediately after discovering a threat.”
Others have pointed out that none of the cybersecurity proposals so far have included practical measures such as holding companies liable or educating end-users about threats. Rep. Zoe Lofgren (D-Calif.) agrees with those criticisms and is pushing back against the proposal. While reform is needed, she says, the current proposal wouldn’t have done much to stop the recent incidents.
“I fear we may have taken the wrong lesson from these recent high-profile attacks,” Lofgren said in a recent statement. “These attacks were not the result of a missed opportunity to share information, but rather caused by substantial and obvious security failures and a culture of treating cybersecurity as an afterthought.”