Two Themes from Obama’s Cybersecurity Proposal: Private Auditors and Immunity

Two and a half years after privatized auditors largely signed off on practices that contributed to the collapse of Wall Street, and a year after coziness between government inspectors and the oil industry they regulate allowed a massive oil spill in the gulf, the Obama Administration proposes relying on private auditors to ensure that private companies guard our nation’s cybersecurity.

That’s one of two troubling aspects of the fact sheet the Administration just released, summarizing proposed legislation on cybersecurity it just sent to Congress.

At issue is who investigates the adequacy of a private companies’ cybersecurity plan to both certify it is adequate and ensure compliance with it. The answer? Auditors paid by the private companies.

The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate. In the event that the process fails to produce strong frameworks, DHS, working with the National Institute of Standards and Technology, could modify a framework. DHS can also work with firms to help them shore up plans that are deemed insufficient by commercial auditors.

While the promise to make these plans transparent is all well and good, the problem remains that private companies and the auditors they pay get to decide what is sufficient, not someone without a financial stake in the outcome. If government inspectors are important enough for safety issues, shouldn’t they be required for the cyberinfrastructure that is so critical to our safety?

In addition, a big part of this plan may give up one of the sticks the government has to ensure compliance.

One of the reasons why private companies don’t like to reveal when they’ve been hacked is liability issues: not only might their customers respond badly, but in some fields (like finance companies) the companies may face other liability issues.

But the fact sheet offers companies immunity, at the least, for any private data it shares with the government when it reveals it has been hacked.

Voluntary Information Sharing with Industry, States, and Local Government. Businesses, states, and local governments sometimes identify new types of computer viruses or other cyber threats or incidents, but they are uncertain about whether they can share this information with the Federal Government. The Administration proposal makes clear that these entities can share information about cyber threats or incidents with DHS. To fully address these entities’ concerns, it provides them with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.

The fact sheet doesn’t describe the extent of the immunity, and the plan does, at least, make immunity contingent upon privacy protections.

  • When a private-sector business, state, or local government wants to share information with DHS, it must first make reasonable efforts to remove identifying information unrelated to cybersecurity threats.


  • Immunity for the private-sector business, state, or local government is conditioned on its compliance with the requirements of the proposal.

But I wonder about the breadth of this immunity. Does it also offer companies immunity for negligence in the handling of consumer data?

One thing that Al Franken, among others, is pushing, is making it easier for consumers to expect a certain level of protection for their data. Thus, if Sony has two-year-old consumer data sitting around in an unsecure server, it would bear some liability if a hacker came and access that data. Such measures would effectively expose companies to lawsuit if they totally blew off their customers’ data security.

Now at least this proposal mandates that companies tell consumers when their data has been accessed (though I always worry when federal legislation claims to simplify state legislation–it’s often code for “water down”).

National Data Breach Reporting. State laws have helped consumers protect themselves against identity theft while also incentivizing businesses to have better cybersecurity, thus helping to stem the tide of identity theft. These laws require businesses that have suffered an intrusion to notify consumers if the intruder had access to the consumers’ personal information. The Administration proposal helps businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements.

But it’s not clear whether companies would bear any liability for such breaches if and when they alert consumers. Moreover, this says nothing about other public disclosure on breaches, which consumers may have as big an interest in (for example, investors ought to be able to know if banks and other major investors routinely get hacked, and stock holders ought to be able to know if critical proprietary information has been stolen).

Call me crazy, but my hackles start to rise when the government starts granting immunity willy nilly, with almost nothing demanded in exchange.

Update: Kashmir Hill offers one example why a national “simplified” law might be a problem–because it’ll eliminate elements like mandatory identity theft protection and penalties from the most stringent law, in MA.

As for telling customers about their data being breached, the White House says it will “help businesses” by simplifying and standardizing the “existing patchwork of 47 state laws” that have various requirements about how soon to notify customers. In the fact sheet, at least, there’s no mention of penalties for businesses, nor mandatory provision of identity theft monitoring after a breach — two aspects of the harshest data breach law currently in the country, in Massachusetts.

When Militaries Conspire to Ignore the Will of the People

The story of the day is from Michael Hastings, fresh off winning a Polk Award for his reporting on the insubordination of key members of Stanley McChrystal’s staff. In today’s story, he describes how Lieutenant General William Caldwell ordered a PsyOp unit to manipulate Senators–including John McCain, Carl Levin, Jack Reed, and Al Franken–to support increased troops and funding for training Afghan soldiers. When the commander of that unit objected, he was investigated and disciplined. (See Jim White’s post on it here.)

It’s a troubling picture of the extent to which individual members of our military will push the war in Afghanistan, knowing how unpopular it is in the States.

But there’s an equally troubling story reporting on the disdain with which our military treats public opinion. Josh Rogin reports on a regularly scheduled meeting between the Pakistani and American military in Oman that took place on Tuesday; because of the Raymond Davis affair, the meeting had heightened importance. The US was represented by, among others, Admiral Mullen and Generals Petraeus, Olson (SOCOM) and Mattis (CENTCOM).

As Rogin describes it, the Americans, whose views were represented in a written summary from General Jehangir Karamat with confirmation from another Pakistani participant, believed the two militaries had to restore the Pakistani-American relationship before it got completely destroyed by the press and the public.

“The US had to point out that once beyond a tipping point the situation would be taken over by political forces that could not be controlled,” Karamat wrote about the meeting, referring to the reported split between the CIA and the Pakistani Inter-services Intelligence (ISI) that erupted following the Davis shooting.


“[T]he US did not want the US-Pakistan relationship to go into a free fall under media and domestic pressures,” Karamat wrote. “These considerations drove it to ask the [Pakistani] Generals to step in and do what the governments were failing to do-especially because the US military was at a critical stage in Afghanistan and Pakistan was the key to control and resolution.”

“The militaries will now brief and guide their civilian masters and hopefully bring about a qualitative change in the US-Pakistan Relationship by arresting the downhill descent and moving it in the right direction.” [my emphasis]

In short, the US military wants to make sure that military intervenes to counteract the fury of the people and the press over the Davis affair.

Now, don’t get me wrong. I’d rather have the military ensure close relations with this nuclear-armed unstable state. I’m cognizant of how, in different situations (notably the Egyptian uprising), close ties between our military and others’ have helped to foster greater democracy. As Dana Priest’s The Mission makes clear our military has increasingly become the best functioning “diplomatic” service we’ve got. And though I think a great deal of stupidity and arrogance got Davis into the pickle he’s in, I certainly back our government’s efforts to get him returned to our country (Rogin also provides details of the plan to do that).

But particularly coming as it does in the same theater and on the same day as news of PsyOps being waged against my Senator, I’m troubled that our military isn’t more concerned with reining in the behavior that has rightly ticked off so many Pakistanis, rather than coordinating with the Pakistani military to make sure the people of Pakistan’s concerns are ignored.

Franken’s Fleeting Fourth Amendment

Remember this stunt? It was just two weeks ago that Al Franken was reading the Fourth Amendment to David Kris. Franken made a good point about how you should identify individuals before collecting their data.

Of course, two weeks later, Franken voted with eight other Democrats to continue to allow the government to collect information–things like shopping histories–about people without first identifying whose information they want to collect. Just collect a list of everyone in Aurora, CO who bought acetone, Franken seems to be saying, and too bad for the guy with an Arabic name who becomes an FBI target because he’s painting his house.

Just two weeks later and it seems someone needs to give Franken the lesson he was trying to give Kris.

Senator Al Franken!


Makes me smile:

Five years after he put his money behind the Swift Boat ads that helped tank John Kerry’s presidential campaign, Senate Democrats gave T. Boone Pickens a warm welcome at their weekly policy lunch Thursday. 

Or at least most of them did. 

Kerry skipped the regularly scheduled lunch; his staff said the Massachusetts Democrat “was unable to attend because he had a long scheduled lunch with his interns and pages.” 

Sen. Al Franken managed to make time for the lunch — but then let Pickens have it afterward. 

According to a source, the wealthy oil and gas magnate and author of “The First Billion Is the Hardest” stepped up to introduce himself to Franken in a room just off the Senate Floor after the lunch ended

Franken, who was seated talking to someone else, did not stand when Pickens said hello. Instead, Franken began to berate him about the billionaire’s financing of the Swift Boat ads in 2004.

I’m happy with people who want to partner with Pickens. Fine.

But don’t do it at a party caucus lunch.

Don’t make your former Presidential candidate schedule lunches with his interns and pages!!

Schadenfreude Delayed

Remember how, back in 2002, the nutters attacked Al Franken because some nutters got booed during Paul Wellstone’s funeral?

To this day, there are still a lot of people, including Democrats, who’ve bought the right wing line on the Wellstone Memorial. Specifically, that it was a cynical, premeditated political event that included endless booing of Republican politicians who came to pay their respects to their fallen colleague. I wrote a pretty detailed account of the Wellstone Memorial in my book Lies and the Lying Liars Who Tell Them, and nothing could be further from the truth. I did write that "reasonable people of good will were genuinely offended." The memorial was raucous and a couple of speakers said some things that were inappropriate – basically, let’s win this (upcoming Senate) election for Paul.

There were also honest Republicans of good will, including Jim Ramstad – the Congressman from the Minneapolis suburban district I grew up in – who acted like human beings and cut the speakers who offended (Rick Kahn and, to a lesser degree, Mark Wellstone) a little slack because they understood that Rick had lost six very close friends and Mark had lost his father, mother, and sister.

The chapter was mainly about how cynically Republicans used the memorial politically as they complained that the Democrats had used it politically. And how the mainstream media, many of whom had neither attended the memorial nor seen it on TV, bought into the Republican spin.

Mainly, there was a lot of lying. Rush Limbaugh claimed that the audience was "planted," when, in fact, Twin Cities’ radio and TV had to tell people to stay away because Williams Arena was jammed to capacity three hours before the Memorial was scheduled to begin. Thousands were crowded into an overflow gym to watch on a screen and thousands watched outside on a cold, late October night.

A pained Limbaugh asked his audience the day after the memorial: "Where was the grief? Where were the tears? Where was the memorial service? There wasn’t any of this!"

This was a lie. I was there. Along with everyone else, I cried, I laughed, I cheered. It was, to my mind, a beautiful four-hour memorial.

I didn’t boo. Neither did 22,800 of the some 23,000 people there.

Rush? You want grief? 

I present to you Senator Al Franken.