President Barack Obama is set to propose new US cybersecurity legislation this week in an effort to tackle the growing problem of cybercrime. Recent high profile hacks on government organizations have caused considerable embarrassment and there is growing concern that the US government is losing the war on cybercrime and that it can do little to prevent attacks from foreign-government backed hacking groups.
New US cybersecurity legislation will increase the government’s power to prosecute cybercriminals
New US cybersecurity legislation is seen as the answer to the government’s inability to prevent cyberattacks. Further intel is required, new powers needed to pursue criminals, and also to take action over criminal activity that takes place outside its borders.
Currently private companies are unwilling to share cyberthreat intel with the government, and improved collaboration and intel sharing with the private sector is seen as critical in the fight against cybercrime.
The proposed US cybersecurity legislation would make it much easier for the courts to take action to shut down criminal botnets and would discourage the sale of spyware. It will also expand the current Racketeering Influenced and Corrupt Organizations Act. This would give the government greater power to prosecute individuals engaged in cybercriminal activity, such as the selling or renting of botnets. It would also increase the government’s power to prosecute for the selling of government information outside US geographical boundaries.
The new US cybersecurity legislation is being pushed through in the wake of a particularly embarrassing hack of the U.S. Central Command’s Twitter account. Hackers managed to gain access to the Twitter account and post pro-ISIS content. Action was already being planned following a host of major cybersecurity incidents such as the attack on Sony, which has been attributed to a hacking team backed by North Korea. The Twitter hack was last straw for many, and will be used to help push through the new legislative package.
In the words of President Obama, the attacks “show how much more work we need to do, both public and private sector, to strengthen our cybersecurity.”
US cybersecurity legislation to offer private companies targeted liability protection
Private companies will be forced to share their cyberthreat intelligence with the government, although they will receive “targeted liability protection.” Even president Obama admitted to not knowing exactly what that meant.
The problem with sharing intelligence data is the threat of subsequent lawsuits. The liability protection is supposed to relieve any fears of legal action for the disclosure of information, although private companies may require more convincing.
Under the current proposals, private companies would be permitted to remove information about individuals before sharing data. Previous attempts to introduce new US cybersecurity legislation have failed due to the unwillingness of private companies to leave themselves wide open to litigation.
Part of the new legislative package is likely to include a new data breach notification law that would require all organizations to report hacking incidents to the government as well as requiring them to provide further information about cybersecurity breaches and data theft to consumers.
While few would argue that new US cybersecurity legislation is required, many privacy proponents are uncomfortable with the wording being used in the proposed legislative package, which they claim is intentionally vague.