Sony hack gives Obama political capital to push cybersecurity agenda
In gridlocked Washington, the aftereffects of the cyberattack on Sony Pictures may ultimately forces Republicans and Democrats to come together on an information-sharing bill.
After the leaks from the former National Security Agency contractor, privacy advocates staunchly opposed cybersecurity bills that share information with the government, amid fears they would increase the spy agency’s power to access and share even more private information from citizens. The information-sharing bills stalled.
Obama’s proposals, one week before his State of the Union address, come after the destructive hack of Sony Pictures Entertainment, for which the government has publicly blamed and sanctioned North Korea. It’s also on the heels of a maelstrom of other high-profile data breaches last – including on Home Depot and JP Morgan Chase & Co. – and this week’s brief takeover of the US military’s Central Command social media accounts by apparent Islamic State supporters.
All told, it may be enough momentum to break the logjam and give members of Congress political cover to come together this session to support a controversial part of Obama’s cybersecurity agenda: To give companies immunity from lawsuits if they share certain information about cyber threats with the government with the Department of Homeland Security.
An information-sharing bill “has to pass this Congress,” Senate Intelligence Committee Chairman Richard Burr, a North Carolina Republican, told Passcode. “It helps any time the president supports something.”
Moving a cybersecurity information-sharing bill “has never been easy,” he acknowledged, “but we’re committed to go extremely quickly.”
The Sony hack was a wake-up call on Capitol Hill, several lawmakers said. The attackers not only stole private information, they destroyed company data and computer hardware, and they also coerced Sony into altering its plans to release "The Interview," the comedy about the assassination of the North Korean leaders. All of this may go a long way to persuade lawmakers that mandating information sharing about cybersecurity threats will ultimately help defend private companies.
“I’m glad [Obama] is pushing to address cyber legislation,” said Republican Sen. Kelly Ayotte of New Hampshire. “We’ve stalled in the past, and if you look at what happened with the Sony attack, I think we can’t afford to stall anymore. I think his timing is right on here… . I haven’t talked to anyone in Congress who has said, ‘This shouldn’t be a priority for us.’”
Sen. Angus King, an independent on the Intelligence Committee, agreed. “I think everybody realizes the urgency.”
Maryland Democratic Rep. Dutch Ruppersberger, who already reintroduced his version of information-sharing legislation this session, said in a statement that, “President Obama and I agree we can no longer afford to play political games while rogue hackers, terrorists, organized criminals and even state actors sharpen their cyber skills.”
However, just because “everybody’s on board with the idea of it” – as Republican Sen. John McCain puts it – doesn’t mean it will be easy to make progress on this controversial and complicated issue. “I have been to more meetings on cyber than any other issue in my time in the Senate, and gotten the least amount of result,” said Senator McCain, who chairs the Armed Services Committee.
There are already divisions emerging this time around. McCain opposes the White House’s proposal to route cyberthreat information through the Department of Homeland Security. He said the National Security Agency should take that role. “I’m glad to see a proposal of theirs, for a change, and we’ll be glad to work on it – just not rubber stamp it,” said McCain.
On the other side of the spectrum, some privacy advocates are unhappy that Obama’s proposal – which essentially rehashes bills maligned by privacy groups since 2011 – would enable DHS to share the data it receives on threats with other relevant federal agencies.
“We’re going to be pushing to kill the bill, probably,” said Mark Jaycox, a legislative analyst for the Electronic Frontier Foundation, in part because it still does not appear to offer a mandatory requirement companies remove personal information before sharing it, and because the data will ultimately end up in the hands of the NSA.
“While its always good for the White House to talk about consumer privacy and user privacy, the most important privacy item is NSA reform,” Mr. Jaycox said.
That said, members appear to have an eye on compromise.
One of the most divisive issues has been which agency will collect the threat information – and Senate Homeland Security and Governmental Affairs Chairman Ron Johnson says he is inclined to support using DHS as the main repository.
“Because of the sensitivity of the Edward Snowden public perception, and the concern about civil liberties, the civilian agency of government might be the best place to have as a center point,” Senator Johnson, a Wisconsin Republican, told Passcode.
Burr, the Intel chair, also hinted at the possibility of compromise. “I think we’ll do this in a way that can assure passage – because the nation needs it.”
Johnson says the urgency for cybersecurity legislation after the Sony hack might sway some of his Republican colleagues to move away from focusing on the NSA – as well as people on the left, too.
“It’s not just the federal government that can threaten our civil liberties," said Johnson. If attacks such as the Sony hack continue, he said, "take a look at how much at risk our freedoms will be at that point.”
Sony may help overcome the post-Snowden “fear factor” about sharing information with the government, said Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, which has grown by 11 members just this session.
Cybersecurity legislation stalled because Snowden “created this belief that there was this massive government overreach on the capabilities of the information that was being collected at NSA,” said Representative Langevin, a Rhode Island Democrat, in an interview last week. “It didn’t have really anything to do with what we’re talking about in terms of sharing classified threat signatures.”
But now, he said, “People are becoming attuned to the fact that a country or a hacker could really go after one of the nation’s major corporations as they did against Sony, and cost them potentially hundreds of millions of dollars in damage.” And that, said Langevin, "was an eye opener.”