Trial Balloon: Will Obama’s Cyber Proposals Sink or Fly?

President Obama's proposals to expand legal tools to pursue hackers are being criticized ahead of the State of the Union Address.
President Obama’s proposals to expand legal tools to pursue hackers are being criticized ahead of the State of the Union Address.

In-brief: President Obama is putting cyber security at the top of his agenda for the State of the Union Address on Tuesday. But security experts are warning that the proposed laws will complicate many aspects of their work in the name of fighting hackers.

U.S. President Barack Obama will deliver his annual State of the Union address to the U.S. Congress on Tuesday. A raft of new proposals to strengthen the nation’s cyber security are at the top of his agenda.

As the address draws near, however, information security professionals are warning that many of the President’s proposals will have a chilling effect on their work, using the cause of fighting hackers criminalizing activities that are essential to investigating their crimes.

The President’s proposals have been outlined in a series of releases and speeches by the President in recent weeks, including an address at the Federal Trade Commission on protecting consumers’ privacy and the Department of Homeland Security (DHS) on fighting cyber crime.

Among other things, the Obama Administration is calling for changes to existing laws, including the Computer Fraud and Abuse Act (CFAA). The Administration is also making proposals that enhance the cybersecurity authority of the Department of Homeland Security (DHS) and to increase private-sector information sharing. Finally, the President is proposing the creation of a nationwide data breach law that would supersede more than three dozen state data breach provisions.

However, the specific provisions the President is proposing are already generating controversy. Security expert Robert Graham has penned a pointed response to the Administration’s proposals that alleges the changes to the Computer Fraud and Abuse Act will allow the use of powerful racketeering laws for the prosecution of hacking groups. In his opinion piece, Graham worries that such changes will make it possible to criminalize innocent but “suspicious looking” activities like penetration testing vulnerable servers or hanging out in an Internet Relay Chat (IRC) room with known, criminal hackers.

“The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as ‘national security’ and ‘cyberterrorism’, then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like ‘hacking.’ Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals.” – Robert Graham, erratasec.com

Writing in the Washington Post, Orin Kerr, a professor at George Washington University Law School, voices concern about the Administration’s willingness to broaden the language of the Computer Fraud and Abuse Act. As written, those changes could allow prosecutors to charge suspects with multiple counts for, essentially, the same act.

Kerr also warns about the expansion of prosecutions for violations of what he terms “norm based liability” – essentially: estimations of what social ‘norms’ and expectations of computer use are. Such readings have been used, in the past, to obtain criminal convictions against individuals for behaviors that few would consider criminal. Famously, Andrew Alan Escher Auernheimer, the hacker known as “Weev,”  was prosecuted merely for scraping information from AT&T’s web site that was publicly available. The government’s case against him rested on the notion that, had Auernheimer asked AT&T for the data in question, the company would have refused to give it to him.

“I read the Administration’s proposal as adopting the prosecution’s view in Auernheimer,” Kerr wrote. The Administration’s effort to expand the legal definition of  ‘exceeding authorized access’ would allow “lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory,” Kerr wrote. “And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct.”

A separate analysis of the Administration’s information sharing proposals by Paul Rosenzweig on the Lawfare blog express concerns about the Administration’s effort to improve sharing of information on cyber attacks between private sector and public sector entities or law enforcement. Writing on Friday, Rosenzweig called aspects of the Administration’s proposals “both ambigous (sp) and, in the end, perhaps a bit disingenuous if the ambiguity is intentional.” Specifically,  Rosenzweig warns that the Administration’s efforts to carve out liability protections for private firms that share threat information complicates the relationship between federal protections and state level tort law in ways that will be difficult to untangle.Other changes that limit the government’s ability to collect cyber threat information to cases that carry the possibility of “direct bodily harm” or “the sexual exploitation of minors” may be too narrowly written, Rosenzweig worries, creating new barriers to information sharing in a law that generally is trying to do the opposite.

You can read more of Rosenzweig’s analysis on the lawfare blog here. Kerr’s analysis for The Washington Post is here.

Cyber security legislation is one of a slew of long-delayed issues facing lawmakers in Washington D.C. Proposals to update the Computer Fraud and Abuse Act have been proposed almost yearly for the last decade. However, efforts at reform have fallen victim to partisan gridlock, despite bipartisan agreement on the need for strong cyber security laws and support for reform.

The lack of legal reform has left U.S. industries struggling to comply with a maze of state-level laws and – some would argue – vulnerable to sophisticated hackers.

In November, retail groups from across the U.S. sent a letter to Congressional leaders that urged them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others.