Warning that foreign governments, criminals and hackers target American computer networks “every single day,” President Barack Obama pushed Tuesday for legislation to bolster the U.S. against cyber attacks.
Obama’s remarks at the National Cybersecurity and Communications Integration Center came a day after Islamist jihadist sympathizers hackers tapped into the Twitter and YouTube accounts of the U.S. Central Command. Obama said that no military operations were affected and no classified information was released, but he said the incident is a reminder “that cyberthreats are an urgent and growing danger."
Obama’s plans include a new legislative proposal to promote information sharing between the government and private sector, a summit and grants to historically black colleges for cybersecurity education.
The White House says the moves come at a time “when public and private networks are facing an unprecedented threat from rogue hackers as well as organized crime and even state actors.”
The action includes updating a 2011 cybersecurity legislative proposal that was not passed by Congress. The administration says the update promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration in the private sector.
Obama, who met Tuesday with congressional leaders, said he had already talked cybersecurity with House Speaker John Boehner and Senate Majority Leader Mitch McConnell and believes the three “agree that this is an area where we can work hard together and get some legislation done, and make sure that we are much more effective in protecting the American people from these kinds of cyberattacks.”
Obama said he plans to talk about the problem at his State of the Union address next Tuesday, and noted that the attack on Sony Entertainment and the Centcom attack demonstrate “how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families’ bank accounts are safe, to make sure that our public infrastructure is safe.”
Specifically, the administration’s proposal encourages the private sector to share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which will then share it with other federal agencies and with private sector organizations by providing targeted liability protection for companies that share information.
Obama noted that most of the infrastructure is owned and operated by the private sector, but that “neither government nor the private sector can defend the nation alone. It's going to have to be a shared mission — government and industry working hand in hand.”
He said the U.S. is more prepared to defend against cyberattacks, but that adversaries are getting more determined and sophisticated.
"We've got to stay ahead of those who would do us harm,” he said. “The problem is that government and the private sector are still not always working as closely together as we should.” He said it was sometimes still too hard for government to share threat information with companies, and vice versa.
The legislation also encourages the formation of private-sector led information sharing and analysis organizations. The administration’s proposal would also safeguard personal privacy by requiring private entities to comply with privacy restrictions such as removing unnecessary personal information and taking measures to protect personal information. It also requires the Department of Homeland Security and the Attorney General to develop receipt, retention, use, and disclosure guidelines for the federal government.
The Retail Industry Leaders Association called collaboration between industry and government “crucial in the fight against sophisticated and persistent cyber criminals.”
“Retailers have made great strides setting up the Retail Cyber Intelligence Sharing Center and facilitating threat information sharing, both within the industry and also with the government,” said Nicholas Ahrens, vice president for cybersecurity and data privacy at the association. “We look forward to continuing to coordinate with the NCCIC in the fight to protect customers from cyber criminals.”
The administration’s proposal also contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.
Boehner’s office said Obama and lawmakers talked about preventing cyber-attacks and that Boehner pointed out that the House had passed a number of measures that were blocked in the Democratic-controlled Senate.
“Republicans are ready to work with both parties to address this important issue and put some common-sense measures on the president’s desk,” his office said.
Obama will attend and the White House will host a Cybersecurity and Consumer Protection summit on Feb. 13 at Stanford University, to help shape public and private sector efforts to protect consumers and companies from threats to consumers and commercial networks.
The White House says the summit will bring together “major stakeholders” on cybersecurity and consumer financial protection issues – including senior leaders from the White House and across the federal government; CEOs from the financial services industry, technology and communications companies; computer security companies and the retail industry; as well as law enforcement officials, consumer advocates, technical experts, and students.
Also, Vice President Joe Biden will travel Thursday to Norfolk, Va. to announce that the Department of Energy will provide $25 million in grants over the next five years to support a cybersecurity education consortium consisting of 13 HBCUs and two national labs.
The participating schools include two-year colleges, four-year colleges, and research institutions in seven states, plus the Virgin Islands.
Rep. Devin Nunes, R-Calif., chairman of the House Permanent Select Committee on Intelligence, said he welcomed Obama’s proposal and that it would receive “close consideration” as the committee drafts legislation.
“Cyberattacks are a growing danger to the United States, our economy, and our national security,” he said. “This Congress needs to strengthen our defenses against these attacks by passing an effective information sharing bill.”
Rep. Adam Schiff, D-Calif., the ranking member of the House Permanent Select Committee on Intelligence, called the administration’s proposal a “significant step forward in protecting our infrastructure, our economy, and the online security of millions of Americans.”
He said he was pleased the White House endorsed privacy protections by requiring that companies remove personal information before sharing cyberthreat data with DHS or private sector organizations.
The alleged North Korean cyber attack on Sony was the focus of an administration briefing to the House Foreign Relations Committee at which Republican and Democratic members called for the imposition of further sanctions against Pyongyang.
Several also questioned whether the United States is doing enough to pressure China and Russia to shut down North Korea’s access to the hard currency that the regime needs to fund its nuclear weapons, ballistic missile and cyber warfare programs and the luxury goods for the tiny elite that run the isolated, impoverished nation.
Committee chairman, Rep. Ed Royce, R-Calif., noted that an executive order issued by Obama on Jan. 2 in response to the attack on Sony’s computers allows the president “to target anyone who is a part of the North Korean government or is assisting them in any way for anything.”
“We need to step up and target those financial institutions in Asia and beyond that are supporting the brutal and dangerous North Korean regime,” said Royce. “Such sanctions have crippled North Korea in the past, leaving the regime unable to buy the loyalty of its generals.”
The hacking of Sony’s computers is estimated to have cost the company hundreds of millions of dollars and raised serious concerns about the security of critical computerized U.S. infrastructure, such as power grids.
Noting that Beijing provides crucial financial and material support to Pyongyang, including fuel, Rep. Brad Sherman, D-Calif., said that it appeared that China has “made a strategic decision that North Korea’s success is so important that they will give them free money.”
While asserting that China could do more to isolate North Korea, the administration representatives said that Beijing has responded to U.S. pressure by limiting Pyongyang’s access to hard currency, including severing ties between major Chinese commercial banks and North Korean banks.
The cyber attack on Sony showed that Chinese computer networks also are potentially vulnerable to North Korean cyber strikes, they said.
“It’s clear that the Chinese are thinking much more seriously about their North Korea policy,” said Sung Kim, a former U.S. ambassador to South Korea who serves as the administration’s special representative for North Korea policy. “China’s own interests are harmed when North Korea misbehaves.”
Kim said that the Jan. 2 executive order was just a “first step” in a U.S. response to the Sony attack that is part of a wider policy aimed at forcing Pyongyang to return to international talks on shuttering its nuclear weapons program, ending massive abuses against its people and normalizing its relations with the rest of the world.
Jonathan Landay contributed to this report