Credit: flickr/Steve Jurvetson via CSO Online
President Barack Obama followed up Monday's speech about data breach notification with another speech Tuesday encouraging companies to share information about cyberattacks.
In an address to the National Cybersecurity and Communications Integration Center (NCCIC) he proposed legislation that offers liability protection to companies that share information.
Previously, such legislation had stalled due to privacy concerns, but the current proposal requires companies to remove "unnecessary personal information" before sharing.
The proposed legislation also contains provisions that would allow for the prosecution of the sale of botnets, would criminalize the overseas sale of stolen personal financial information, and would give courts the authority to shut down criminal botnets.
"We want to be able to better prosecute those who are involved in cyber attacks, those who are involved in the sale of cyber weapons like botnets and spyware," he said. "We want to ensure that we're able to prosecute insiders who steal corporate secrets or individuals' private information."
Privacy groups met this latest proposal with a great deal of skepticism.
"Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act ... are both unnecessary and unwelcome," said the Electronic Frontier Foundation in a statement.
"Expanded information sharing poses a serious risk of transferring more personal information to intelligence and law enforcement agencies," the organization added.
Security experts also reacted to the information sharing aspects of this proposal with some criticism.
"There is no guarantee the concept will be met with open arms," said Dodi Glenn, senior director of security intelligence and research labs at Clearwater, FL-based ThreatTrack Security, Inc. "I have personally been involved in operations where the very second a private company mentions involving the U.S. government, other participating companies become hesitant to continue to share data."
According to Glenn, there is a clear trust issue between the government, the private sector, and the public. Allegations of domestic spying, for example, have damaged the government's credibility on this issue. "Passing this bill is critical to the environment we are living in 2015, I do not know a business, consumer or security expert who would beg opposition."
"It is critical that the government not overreach in any information sharing program, and that they work with the private sector as a true partner," he said.
"The industry has proven that sharing information is not something the industry does just because someone says it's a good thing to do," said Tsion Gonen, chief strategy officer at Amsterdam-based security firm Gemalto.
The proposed legislation leaves some important questions unanswered, said Carl Wright, general manager at San Mateo, CA-based security firm TrapX.
Sign up for MIS Asia eNewsletters.