Privacy concerns surrounding President Barack Obama’s Feb. 12 cybersecurity executive order and legislation introduced in Congress are misplaced, members of a panel said Tuesday at the Dow Jones Global Compliance Symposium.
“It’s easy to get wrapped up in CISPA as a civil liberties issue,” said Stewart Baker, a partner at Steptoe & Johnson LLP, referring to opponents of the Cyber Intelligence Sharing and Protection Act, which is awaiting a markup in the House. “I think that’s probably mostly wrong.”
Baker said the bill “waives some old privacy laws” but only “in an effort to get some real-time sharing of signatures between the government and the private sector.”
Fellow panelist Lisa Sotto, a partner at Hunton & Williams LLP, added that the privacy facet of the executive order is essentially “meaningless, because it says we need to consider, in considering privacy, the Fair Information Practice Principles” — but those principles don’t apply to hackers.
The two-member panel addressed ways companies can protect themselves from additional damage after a cyber intrusion and the various steps the federal government is taking to cut down on hacking.
Sotto characterized the executive order as more of a political effort than anything else.
“I also think it’s pretty clear that the administration is essentially goading Congress to enact legislation,” she said, “and once legislation comes, this whole thing is out the window, so it’s not worth the paper it’s written on, because legislation of course takes priority.”
But the rules already on the books are complicated enough, the panelists suggested, for a breached company to navigate.
Sotto advised that a business that’s been hacked hire an outside forensic investigator to determine the scope of the attack and the identity of the attacker before doing anything else. A company then has to figure out which laws apply to its situation — given the patchwork of state data notification laws and the separate requirements of multinational corporations — but should expect to be “besieged” once it goes public with a breach, Sotto said.
Baker raised the prospect of pursuing the hackers independently, an issue that’s stirred controversy on and off Capitol Hill as more and more hacking victims have found themselves exposed in the somewhat lawless territory of cyberspace.
Noting that investigators know more than ever about the perpetrators of cyber attacks, Baker argued for causing attackers “deep and surprising pain.”
“I’ve been talking to the government and gotten a surprisingly good reaction to the idea that, now that we can start to track our attackers, we ought to ask, what can we do to punish them,” Baker said. “And there are a variety of things that the government can do and there are a variety of things that private companies can do.”
A company chasing down its own stolen information, he said, is in a legal gray area — it is arguably violating the Computer Fraud and Abuse Act, he said, but in a way it could also defend, so it might avoid prosecution.
Sotto cautioned that pursuing such a plan is a “very dangerous thing right now, because by hacking back, hacking the hacker, you may be violating law.”
She conceded that “there are ways to do it carefully,” but both Sotto and Baker said companies should talk to counsel before hacking back.