In a January 2015 legislative proposal on Cybersecurity, the Administration offered three suggestions on Cybersecurity. First, information sharing between the private sector and government on cyber threats has been a useful practice in some sectors since before 2007. The Administration wants that expanded. Secondly, some courts and law enforcement seem unsure of their authority to prosecute and convict cybercriminals. Their authority is clarified in the bill. And finally, the Administration proposes a federal, standardized obligation for reporting data breaches to governments and to consumers.
The Administration wants the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) to be the focus on the government end. Information sharing about attacks has worked well in the communications and information technology industries where court orders are in common use. Deeper sharing would be welcomed as a means to better protect key infrastructure.
To remove one of the restraints to expanding voluntary private sector participation, the Administration proposes liability protection for private sector firms that remove unnecessary personal information and protect any personal information that must be shared. The goal of preserving personal privacy is important, but conditional liability immunity is probably not enough. Grooming the data to preserve privacy may be easy, near impossible, or it may introduce too much delay, or it may jettison information needed to thwart attacks. These possibilities will depend on the context of the threat.
When attacks are underway, minutes count and there is no time for convening a moot court to determine a course of action. The tort industry has a ridiculous advantage in its leisurely review of cooperating firm’s actions taken during events that happened in mere moments while facing impending disaster. If liability protection is not a sure thing, some firms will avoid cooperation to avoid endless, costly lawsuits and public relations damage. Experience shows us that court orders can provide reliable liability protection. The offer of conditional liability protection sounds like a political compromise to appease privacy fanatics.
The Administration proposes to criminalize the sale of botnets, the overseas sale of stolen U.S. financial information (e.g. credit card numbers), and the sale of spyware used for stalking or committing ID theft. It further proposes that courts can shut down botnets engaged in distributed denial of service attacks and other criminal activity. It wants the Racketeering Influenced and Corrupt Organizations Act (RICO) to apply to organized cybercrimes. It is surprising that legal models such as trafficking in Class I drugs, military grade explosives, and weapons of mass destruction are not already the basis for cyber prosecutions.
It would be helpful if the proposal strengthened the penalties that apply to identity theft, denial of service attacks, and infrastructure damage and supplied more resources for hunting down criminals, not for foppish conferences and summits for the leadership caste. The Department of Justice is belatedly backing away from asset seizure where no crime has been charged. When cybercrimes are charged, it would be helpful to seize all the assets – the buildings, cash and equipment – used by those indicted. This would motivate supporters of cybercriminals to be attentive to what is happening.
Most states have laws that require businesses to notify consumers whenever their personal information has been exposed in a cyberattack. The Administration proposes simplifying and standardizing those laws into one federal law that carries an obligation to quickly inform consumers and employees of the breach. The standardization is useful, especially for companies who operate in many states.
A few useful proposals were addressed, but the Administration’s proposals omitted major issues, such as NSA surveillance of Americans, NSA’s cracking of widely used encryption products, an answer to Cameron’s request to hold encryption keys for many social network products, and moving credit cards to safer PIN and Chip technologies in order to reduce consumer and merchant fraud.
Hopefully, these items will be covered in an upcoming legislative proposal.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research