Hackers who breach and cause substantial harm to critical infrastructure systems would face a mandatory minimum three-year prison sentence if the White House gets its way.
The Obama administration is requesting the mandatory prison sentence in a legislative proposal it submitted to Congress on Thursday, which outlines a long but vague list of cybersecurity provisions the White House would like included in upcoming bills. The list includes a number of changes to laws governing hacking (.pdf), as well as laws authorizing the federal government to assist private companies in securing their computer networks when asked to mitigate threats.
The administration also wants to create a national data-breach law that would help standardize the patchwork of state laws and force companies that operate critical-infrastructure systems to produce a security plan customized to protect against threats to their systems. The plans would be subject to evaluation by an independent commercial auditor and give the Department of Homeland Security authority to request changes to the plans if the government deems them insufficient.
The government also wants to require critical infrastructure companies to report significant breaches to DHS and to give them immunity from civil liability for sharing information with the government.
Critical-infrastructure computers are defined as those that manage or control systems vital to national defense, national security, economic security, public health or safety. These include companies involved in production and management of oil, gas, water and electricity; telecommunication networks; finance and banking systems; emergency services; transportation systems and services; and government entities that provide essential services to the public.
Legal experts have panned the White House proposal as insubstantial and ineffective, particularly because it provides for no incentives -- through fines or otherwise -- to force critical-infrastructure entities to shore up their networks.
"We don’t expect industry to do anything without a legal incentive, so I don’t know why they think now they will get good cybersecurity just by asking for it," says Fred Cate, law professor and director of the Center for Applied Cybersecurity Research at Indiana University. "You’re absolutely free to set up the weakest security you want [under this proposal], and unless you’re in one of those regulated spots like financial services, there’s no consequence to it."
Of all the items on the White House cybersecurity wish list, the provisions dealing with criminal penalties are the easiest for lawmakers to grant.
The criminal penalty for hacking into critical infrastructure is designed to emphasize the national security threat of such intrusions. According to the proposal, the three-year sentence the White House is seeking could not be served concurrently with sentences for other violations a suspect might receive, nor could the court use the three-year mandatory sentence to reduce a suspect's other sentences as compensation.
The administration also wants lawmakers to extend the Racketeering-Influenced and Corrupt Organizations Act, or RICO, to cover felony computer crimes. RICO has traditionally been used to prosecute the mob and other organized crime groups but does not presently cover computer crime.
Other items on the government wish list, however, will be more problematic for lawmakers and will likely involve pushback from industry and civil liberties groups.
The first involves a provision that would authorize state and local governments as well as private entities (.pdf) to disclose information they possess to DHS "for the purpose of protecting an information system" from cyberthreats, except information that is subject to a court order or requires other certification for law enforcement to obtain.
DHS may share the information with law enforcement agents if it's evidence of a crime which has been or is about to be committed. The entity providing the information would be immune to civil or criminal prosecution for providing the information.
DHS would be required to develop safeguards with unspecified "privacy and civil liberties experts" for how and under what circumstances such information should be shared. But Cate says these are empty words, because Congress created a privacy and civil liberties oversight board years ago that has yet to be seated.
"[President] Bush never appointed members to it, and Obama has nominated only two of the five [seats]," he says. "It has real power to oversee information privacy and security, but if no one puts members on it but keeps saying they care about privacy, it’s just a little hard to take it seriously."
The government's proposal for industry audits of security plans appears to be modeled in part after the Payment Card Industry standards -- a system imposed by the credit card industry that requires companies processing credit and debit card transactions to adhere to a list of security protocols, such as encrypting sensitive information, and installing firewalls and antivirus and intrusion-detection systems. The companies are required to obtain third-party audits to certify that they adhere to the standards.
That system, however, has long been criticized by security professionals as ineffective, because companies pay auditors to certify them -- allowing potential abuse of the certification process -- and a firm can quickly fall out of certification once an audit is completed. And many of the biggest credit card breaches in the last few years -- such as one at Heartland Payment systems -- occurred on networks that were certified by auditors as PCI-compliant at the time they were breached.
Another part of the proposal that could get pushback involves the national breach-notification law (.pdf).
Forty-seven states currently have such notification laws that require entities to inform the public when intruders gain unauthorized access to personally identifiable information about them. But the laws vary in definition of "personally identifiable information" and also vary in their requirements about who companies have to notify and what they have to disclose, creating confusion for companies and consumers.
It's possible that with White House support, a national effort could succeed this time, though it's not likely to appease everyone. The government's proposal expands and clarifies what constitutes personally identifiable information, including unique biometric data such as a fingerprint, voice print, retina or iris image, or any other unique physical representation.
But the proposal requires only businesses with data on more than 10,000 people to report a breach and allows 60 days after discovering the breach to do so. It also exempts an entity from notifying the public, if notification would impede a law enforcement investigation or cause damage to national security. The U.S. Secret Service would be required to report to Congress the number and nature of any breaches that fell under these exemptions.
Entities notifying the public of a breach would be required to provide only the most minimal information, such as a description of the information at risk and a toll-free number for inquiries. They wouldn't, however, have to disclose when the breach occurred or how long an intruder was in the system before being discovered -- information that would help people assess how long their information had been at risk.
Entities would have to notify DHS of any breaches that involved personally identifiable information of more than 5,000 individuals, or involved a database containing identifiable information on more than 500,000 individuals nationwide, or if the breach involves databases owned by the federal government, or that contain information of government employees or contractors involved in national security or law enforcement. The Federal Trade Commission would be charged with determining what information such notices to DHS would have to contain.
Photo: President Barack Obama delivers an address on cybersecurity and the nation's digital future in the East Room of the White House in May 2009. (Chuck Kennedy/White House)
