President Obama in December signed a series of cybersecurity bills designed to help the government better protect its networks and enhance its ability to work with the private sector. However, the largely noncontroversial bills are seen as offering little help to U.S. companies trying to protect their computer networks in light of North Korea’s alleged attack on Sony’s Entertainment’s computers, which publicly exposed confidential employee information and company executives’ e-mails.
“The Sony incident underscores the clear and present threat to America's thriving digital economy,” said House Energy and Commerce Committee Chairman Fred Upton (R-Mi.) in a statement. “The economic damage is real, and we must work to protect American jobs and commerce.”
The measures signed by the president include a bill (S. 2519) to clarify the Department of Homeland Security’s (DHS) role in defending private sector computer networks. The legislation codifies the DHS National Cybersecurity Communications Integration Center as an entity charged with facilitating cyberthreat information sharing.
A second bill (S. 2521) updates the Federal Information Security Management Act, the law that governs the security of the federal government’s information technology systems. The legislation clarifies the roles and responsibilities of the Office of Management and Budget and the DHS for information security and updates guidelines federal agencies follow in the event of an unauthorized release of data.
A third bill (S. 1353) provides the federal government with explicit authority to develop voluntary cybersecurity standards for the private sector, such as the framework of best practices for U.S. companies developed by the National Institute of Standards and Technology in February 2014.
Following the Sony attack, President Obama said he hopes to work with Congress on “strong” cybersecurity legislation that would facilitate information sharing so attacks can be prevented. “One of the things in the New Year that I hope Congress is prepared to work with us on is strong cybersecurity laws that allow for information-sharing across private sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place,” he said at a Dec. 19 press conference.
However, in the last Congress, the president threated to veto legislation passed by the House (H.R. 624) and reported by the Senate Intelligence Committee (S. 2588) that would have provided liability protection for companies that share cyberthreat data with government or industry partners. Privacy advocates strongly objected to those measures, arguing that they would potentially allow the U.S. government to increase its surveillance of the Internet.