5 Flaws in Obama’s New Cybersecurity Plan

Digital-rights groups are skeptical of the proposal just announced by the president.

<a href="http://www.shutterstock.com/cat.mhtml?lang=en&language=en&ref_site=photo&search_source=search_form&version=llv1&anyorall=all&safesearch=1&use_local_boost=1&searchterm=cybersecurity&show_color_wheel=1&orient=&commercial_ok=&media_type=images&search_cat=&searchtermx=&photographer_name=&people_gender=&people_age=&people_ethnicity=&people_number=&color=&page=1&inline=180510311">Max-Studio</a>/Shutterstock

Let our journalists help you make sense of the noise: Subscribe to the Mother Jones Daily newsletter and get a recap of news that matters.

Following a string of high-profile corporate hacks at companies such as Target, Home Depot, and Sony, President Obama is now urging Congress to improve how companies respond to data breaches. He wants to require them to disclose consumer data breaches within 30 days of discovering them, make it easier for companies to share information about hacking threats with one another and the federal government, and criminalize the sale of botnets, programs used to coordinate attacks.

But while those may sound like good ideas, they’re not winning universal support from top digital rights groups. “President Obama’s cybersecurity legislative proposal recycles some old ideas that should remain where they’ve been since May 2011: on the shelf,” writes the Electronic Frontier Foundation (EFF).

Here are the top five concerns with Obama’s proposals:

1. They may allow companies to share your personal data with the NSA: Companies would receive legal immunity in connection with sharing information about threats with a cybersecurity center headed by the Department of Homeland Security, which could immediately pass it along to the National Security Agency and other federal agencies. The proposed disclosure law, which would trump other state or federal data-privacy laws, would require companies to take unspecified “reasonable” steps to strip information that could identify a specific person before sharing it, but only for individuals “reasonably believed to be unrelated to the cyber threat.”  

2. Private companies and the government already share information about security threats: The sharing happens through the nonprofit Information Sharing and Analysis Centers and Homeland’s Enhanced Cybersecurity Services. “The question is what gap this bill is trying to fill when we already have a robust information sharing machine,” says EFF legislative analyst Mark Jaycox.

3. The reforms would increase penalties under the draconian Computer Fraud and Abuse Act: The notoriously broad and stringent CFAA is best known as the tool used by the feds to prosecute digital rights activist Aaron Swartz, who killed himself in 2013 while facing 35 years in jail and $1 million in fines in connection with downloading copyrighted scientific articles. “We’ve repeatedly seen government prosecutions that use the CFAA’s tough penalties to bully people,” says Jaycox. In a press release, the White House says it wants to ensure the act isn’t used to target “insignificant conduct.” But a close reading of its proposed reforms appears to tell a different story: One provision increases the penalty for stealing data from any “protected computer” from one year to three, even if it wasn’t done for commercial gain.

4. They supersede state laws: The White House’s consumer data breach law would supersede at least 38 state data-breach laws, some of which are more stringent than the proposed federal standard. The law proposed by the White House would apply only to businesses that store information on more than 10,000 individuals, but California, Florida and some other states have disclosure laws that apply to any company that experiences a data breach affecting more than 500 people. “Any such proposal should not become a back door for weakening transparency or state power,” the EFF said in a statement, “including the power of state attorneys general and other nonfederal authorities to enforce breach notification laws.”

5. They could limit online civil disobedience: There are plenty of legitimate reasons to curtail the sale of botnets, but they’ve also been used by activists to carry out distributed denial of service (DDOS) attacks against repressive governments and corporate ne’er-do-wells. Last year, the hactivist collective Anonymous posted a petition on Whitehouse.gov asking that DDOS attacks be recognized as a legal form of protest similar to the Occupy protests. Under the CFAA, carrying out a DDOS attack can already land you in jail for many years, but now the White House wants to further clamp down on the practice by specifically allowing the Attorney General to go after botnets that help enable them.


Headshot of Editor in Chief of Mother Jones, Clara Jeffery

It sure feels that way to me, and here at Mother Jones, we’ve been thinking a lot about what journalism needs to do differently, and how we can have the biggest impact.

We kept coming back to one word: corruption. Democracy and the rule of law being undermined by those with wealth and power for their own gain. So we're launching an ambitious Mother Jones Corruption Project to do deep, time-intensive reporting on systemic corruption, and asking the MoJo community to help crowdfund it.

We aim to hire, build a team, and give them the time and space needed to understand how we got here and how we might get out. We want to dig into the forces and decisions that have allowed massive conflicts of interest, influence peddling, and win-at-all-costs politics to flourish.

It's unlike anything we've done, and we have seed funding to get started, but we're looking to raise $500,000 from readers by July when we'll be making key budgeting decisions—and the more resources we have by then, the deeper we can dig. If our plan sounds good to you, please help kickstart it with a tax-deductible donation today.

Thanks for reading—whether or not you can pitch in today, or ever, I'm glad you're with us.

Signed by Clara Jeffery

Clara Jeffery, Editor-in-Chief

payment methods

We Recommend