Since the start of his Administration, when he issued the Cyberspace Policy Review — the first top-to-bottom, Administration-wide review of cybersecurity — President Obama has led efforts to better prepare our government, our economy, and our nation as a whole for the growing cyber threats we face.
That’s why in 2011 he issued his Cybersecurity Legislative Proposal, calling on Congress to take urgent action to give the private sector and government the tools they need to combat cyber threats at home and abroad. It’s why he issued the International Strategy for Cyberspace to make clear to nations abroad the foreign policy priority cybersecurity issues have become. And when Congress failed to pass comprehensive cybersecurity legislation, the Administration pressed forward, issuing an Executive Order to protect critical infrastructure by establishing baseline cybersecurity standards that we developed collaboratively with industry.
Today, at a time when public and private networks are facing an unprecedented threat from rogue hackers as well as organized crime and even state actors, the President is unveiling the next steps in his plan to defend the nation’s systems. These include a new legislative proposal, building on important work in Congress, to solve the challenges of information sharing that can cripple response to a cyberattack. They also include revisions to those provisions of our 2011 legislative proposal on which Congress has yet to take action, and along with them, the President is extending an invitation to work in a bipartisan, bicameral manner to advance this urgent priority for the American people.
Specifically, today’s announcements include:
Cybersecurity Legislative Proposal
Enabling Cybersecurity Information Sharing: The Administration’s updated proposal promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector. Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs) by providing targeted liability protection for companies that share information with these entities.
The legislation also encourages the formation of these private-sector led Information Sharing and Analysis Organizations. The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection. The proposal further requires the Department of Homeland Security and the Attorney General, in consultation with the Privacy and Civil Liberties Oversight Board and others, to develop receipt, retention, use, and disclosure guidelines for the federal government. Finally, the Administration intends this proposal to complement and not to limit existing effective relationships between government and the private sector. These existing relationships between law enforcement and other federal agencies are critical to the cybersecurity mission.
Modernizing Law Enforcement Authorities to Combat Cyber Crime: Law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime. The Administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity. It also reaffirms important components of 2011 proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO), a key piece of law used to prosecute organized crime, so that it applies to cybercrimes, clarifies the penalties for computer crimes, and makes sure these penalties are in line with other similar non-cyber crimes. Finally, the proposal modernizes the Computer Fraud and Abuse Act by ensuring that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
National Data Breach Reporting: As announced yesterday, the Administration has also updated its proposal on security breach reporting. State laws have helped consumers protect themselves againstentity theft while also encouraging business to improve cybersecurity, helping to stem the tide ofentity theft. These laws require businesses that have suffered an intrusion to notify consumers if consumers’ personal information has been compromised. The Administration’s updated proposal helps business and consumers by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and puts in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.
White House Summit on Cybersecurity and Consumer Protection
On February 13, 2015, the White House will host a Summit on Cybersecurity and Consumer Protection at Stanford University, to help shape public and private sector efforts to protect American consumers and companies from growing threats to consumers and commercial networks.
The Summit will bring together major stakeholders on cybersecurity and consumer financial protection issues – including senior leaders from the White House and across the federal government; CEOs from a wide range of industries including the financial services industry, technology and communications companies; computer security companies and the retail industry; as well as law enforcement officials, consumer advocates, technical experts, and students. Topics at the Summit will include increasing public-private partnerships and cybersecurity information sharing, creating and promoting improved cybersecurity practices and technologies, and improving adoption and use of more secure payment technologies.
The Summit is also the next step in the President’s BuySecure Initiative, which was launched in November 2014, and will help advance national efforts the government has led over the last two years with executive orders on consumer financial protection and critical infrastructure cybersecurity. Through keynote speeches, panel discussions, and small group workshops, participants will build on efforts in the public and private sectors to further improve cybersecurity practices at a wide range of companies.
Grants to Historically Black Colleges for Cybersecurity Education
As the President stated in Executive Order 13532, “Promoting Excellence, Innovation, and Sustainability at Historically Black Colleges and Universities” in February 2010, historically black colleges and universities (HBCUs) have made historic and ongoing contributions to the general welfare and prosperity of our country. Established by visionary leaders, America’s HBCUs, for over 150 years, have produced many of the Nation’s leaders in business, government, academia, and the military, and have provided generations of American men and women with hope and educational opportunity. Recognizing that HBCUs serve as engines of opportunity, innovation, and economic growth, Vice President Biden will travel to Norfolk, VA on Thursday to announce that the Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 HBCUs and two national labs.
This program, part of the President’s jobs-driven training initiative, will help to fill the growing demand for skilled cybersecurity professionals in the U.S. job market at the same time that it helps to grow the science, technology, engineering, and mathematics (STEM) curricula for HBCUs. The participating schools include two-year colleges, four-year colleges, and research institutions in seven states, plus the Virgin Islands.