If those Sony cyberattacks bummed you out, the White House wants you to know that it has a proposal to deal with those kinds of security risks in the future. Just one problem: President Barack Obama’s plan is very similar to the Cyber Intelligence and Sharing Act (CISPA) legislation that he previously promised to veto.
Yesterday, the White House published a press release that proposed a number of new measures for protecting public and private entities from cyberthreats. The heart of the plan would have corporations share information about attacks with the U.S. government and its security agencies. This move from the executive branch is widely seen as a response to the Sony Pictures breach, which helped hackers get access to an unprecedented amount of private data from a corporation. But it’s also a response to the distributed denial-of-service (DDoS) attack that brought down the PlayStation Network and Xbox Live gaming services on Christmas Day. While many are looking for the government to take action about online threats, at least one privacy group is worried Obama’s proposal already goes too far.
The administration is proposing a provision “that would allow for the prosecution of the sale of botnets,” which are usually banks of computers that anyone can rent and use for any means they choose. Botnets are crucial to running DDoSes, as we explain in our report on why PSN went down. Obama also wants to “give courts the authority to shut down botnets engaged in DDoS attacks and other criminal activity.”
If those elements of the Obama plan go into effect, law enforcement may have an easier time of shutting down some DDoS barrages. The cyberattack group Lizard Squad, which took credit for the PSN and Xbox Live assaults, is actually selling DDoS as a service now to anyone who has the cash, and these potential laws would help U.S. agencies to go after and prosecute the group for doing that.
But this isn’t the part of the plan that the privacy advocates at the Electronic Frontier Foundation are worrying about. In a statement on its website, the organization made it clear that Obama is using recent headlines to justify security measures that could end up giving the government even more access to private information about individuals.
We contacted the EFF for a comment, and it pointed us to its official statement. We also reached out to Sony and Microsoft, and we’ll update this post with any new information or comments.
“More needs to be done to protect cyberspace and enhance computer security,” reads the EFF statement. “But President Obama’s cybersecurity legislative proposal recycles old ideas that should remain where they’ve been since May 2011: on the shelf.”
The EFF is referring to the CISPA, which lawmakers first introduced in 2011 and was just re-introduced in the House of Representatives last week. In 2013, a version of CISPA passed the House but did not get through the Senate — the reintroduced bill is similar to the 2013 version.
You may remember hearing about CISPA as it inspired a backlash. Many critics viewed the bill as a way to legalize “cyberspying.” It would enable companies to search their data for “threat information.” Companies would then share that data with other security companies as well as the U.S. government, all without a search warrant.
Obama’s measures call for a similar kind of information sharing. While both the administration as well as the authors of CISPA claim that their respective proposals would remove “unnecessary personal information,” that’s not enough for the EFF.
“Given that the White House rightly criticized CISPA in 2013 for potentially facilitating the unnecessary transfer of personal information to the government or other private sector entities when sending cybersecurity threat data,” reads the EFF statement, “we’re concerned that the administration proposal will unintentionally legitimize the approach taken by these dangerous bills.”
The EFF goes on to claim that both proposals don’t even deal with the “low-hanging fruit” that would shore up security in U.S. networks. This includes using the information sharing hubs that already exist like the Department of Homeland Security’s Enhanced Cybersecurity Services and Information Sharing and Analysis Centers.
“All of these institutions represent robust information sharing hubs that are underutilized and under-resourced,” the EFF statement says.
The privacy organization goes on to say that education of the people running our networks is of grave importance.
“It’s well known that many security breaches are due to employees downloading malware,” the EFF statement continues. “Yet another key solution is to follow basic security precautions. The New York Times reported the JP Morgan hack occurred due to an un-updated server.”
The EFF is saying that common sense is a much better first step than putting in place a mechanism that the government could easily abuse. CISPA even has a clause that would enable the agency to get the protect personal information in certain, undefined circumstances.
So while it was a drag that I couldn’t play Far Cry 4 during the holidays and that internal Sony emails are making headlines, it’s possible that our response to those events could do more harm than good.