White House Legislative Proposal Would Enhance Cyber Info Sharing

The White House has developed a revised cybersecurity legislative proposal that would promote real-time information sharing between the government and private sector and empower law enforcement to fight and prosecute cybercrime.

President Barack Obama is unveiling the legislative proposal Tuesday, following his speech Monday about improving consumer digital privacy and online security.

The cybersecurity proposal revises provisions of the administration’s 2011 proposal that focused on protecting critical infrastructure, according to a White House fact sheet.

The revised proposal calls for enhanced collaboration among private companies and with the government. It encourages companies to share cyberthreat data with the Department of Homeland Security’s (DHS) 24/7 cyberoperation center, the National Cybersecurity and Communications Integration Center (NCCI). The NCCI would share that data with relevant federal agencies and newly developed information sharing and analysis organizations (ISAOs). The private sector would lead and develop such organizations.

Companies could share data with DHS in exchange for “targeted liability protection,” the fact sheet noted. The White House has studied various approaches to liability protection, including “reduced tort liability, limited indemnity, higher burdens of proof, or the creation of a federal legal privilege that preempts State disclosure requirements,” White House Cybersecurity Coordinator Michael Daniel said in a 2013 blog post.

The legislative proposal would require companies to remove unnecessary personal information, or properly protect it, before sharing data with the government.

To further ensure that proper safeguards are in place, DHS and the attorney general would be directed to work with the Privacy and Civil Liberties Oversight Board and other entities to “develop receipt, retention, use, and disclosure guidelines for the federal government,” according to the White House fact sheet.

The legislative proposal would update measures in the Racketeer Influenced and Corrupt Organizations Act (RICO), so that the law used to prosecute organized crime would also apply to cybercrime. It would also modernize the Computer Fraud and Abuse Act to ensure “that insignificant conduct does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.”