President Barack Obama and U.K. Prime Minister David Cameron Friday announced efforts to bolster hacking threats, including the creation of a joint cybersecurity unit between intelligence and law enforcement agencies.
It’s the latest move in a monthlong Obama anti-hacking effort that puts the tension between privacy and public safety on display.
Obama, who hosted Cameron at the White House, cited the destructive hacking attack against Sony Pictures Entertainment in rolling out cybersecurity proposals this past week that would encourage companies to turn over evidence of hacks to the government. He will include it in his State of the Union address Jan. 20 and will attend a cybersecurity summit Feb. 13 in Stanford, California.
Cameron wants Obama’s help in getting U.S.-based companies such as Facebook Inc. and Google Inc. to do more to stop extremists -- such as those involved in a pair of massacres in Paris -- from communicating in secret. He wants intelligence services and police to have the right to access encrypted message services such as Snapchat and WhatsApp.
Obama said it’s “a problem” if police and intelligence agencies can’t intercept communications to stop a specific terrorist plot, and his administration is discussing the matter with technology companies to find a solution.
“Social media and the Internet is the primary way in which these terrorist organizations are communicating,” Obama said during a joint news conference with Cameron in Washington. “The laws that might have been designed for the traditional wiretap have to be updated. How we do that needs to be debated both here in the United States and in the U.K.”
Both leaders say they are trying to balance security needs with civil liberties, although their proposals have come under criticism from industry groups and privacy advocates.
“I don’t think either of us are trying to enunciate some new doctrine,” Cameron said at the press conference. “We’re not asking for backdoors. We believe in very clear front doors through legal processes that should help keep our country safe.”
The two leaders spoke just hours after a raid that broke up an alleged terror plot in Belgium. Police learned of planning for an attack through intercepted phone conversations, according to Le Soir newspaper.
In addition to action to stop extremists, both governments are moving to protect against breeches by hackers. The new cybersecurity unit will enable greater cooperation and information sharing between the U.S. National Security Agency and U.K. Government Communications Headquarters, according to a statement from the White House.
“Both leaders agreed to bolster efforts to enhance the cybersecurity of critical infrastructure in both countries, strengthen threat information sharing and intelligence cooperation on cyber issues, and support new educational exchanges between U.S. and British cybersecurity scholars and researchers,” according to the statement.
As part of his visit, Cameron’s administration arranged for U.K.-based cybersecurity companies to meet with White House cybersecurity coordinator Michael Daniel as well as officials from the Homeland Security Department and the American Bankers Association.
“The sophistication of the threat is getting greater,” said Nicole Eagan, chief executive officer for Darktrace, a cybersecurity company based in Cambridge that was invited. “It’s going to take governments working together and it’s going to take private sectors working together to confront this.”
Banks in London and New York plan to simulate a massive cyber-attack on their computer systems later this year as part of joint war games run by the U.S. and U.K. governments.
“This is an evolving threat which poses a real risk to our businesses and that’s why we’re taking our cooperation with the U.S. to an unprecedented level,” Cameron said in a statement.
While Obama said this week that beefing up U.S. cyberdefenses is a top priority, his approach is tempered by revelations in 2013 about the NSA spying on electronic communications.
The White House sent lawmakers proposed legislation on Jan. 13 that would give companies legal protections for sharing information about hacking threats with each other and the government.
While there is broad agreement companies should get legal protections for sharing threat data, Congress has failed to reach a deal on a bill. Senior Republican lawmakers said they would review Obama’s proposal, though stopped short of committing to passing it.
“Having a safe and secure Internet system are paramount for both the national and economic security concerns,” said Devin Nunes, a California Republican and chairman of the House intelligence committee. “We must work closely together to build a coalition of folks willing to do the right thing for the future of the Internet and our economy.”
Supporters see a glimmer of hope for finding agreement in the wake of the Sony hack. Senate Majority Leader Mitch McConnell, a Kentucky Republican, on Thursday identified cybersecurity and trade as issues he expects to see bipartisan cooperation.
Obama has also asked Congress to pass stalled legislation that would require companies that have consumer data hacked to notify customers who are at risk.
The president also wants Congress to enable law enforcement to better investigate, disrupt and prosecute cybercrime, including by criminalizing the sale of botnets and stolen U.S. financial data such as credit card and bank account numbers.
Cameron is seeking Obama’s support to ensure extremists can’t communicate in secret following the attack on the French satirical weekly newspaper Charlie Hebdo.
“These companies are run by good and sensible people. We’re having good and productive conversations,” Cameron said in an interview with Channel 4 News.
“They don’t want to be the platform that becomes safe for terrorists to talk to each other and plan appalling outrages on,” he said.
Apple Inc. and Google said in September that their new phones would automatically encrypt data, making it harder for detectives to examine the content of suspects’ phones without their knowledge or cooperation. Encryption scrambles data and a digital key kept by the owner is needed to unlock it.
Other companies like Facebook allow their users to communicate through encrypted channels. Cameron has vowed to introduce legislation empowering intelligence and law enforcement agencies to crack communications to prevent an imminent attack.
Spokeswomen Jodi Seth of Facebook, Niki Christoff of Google and Kristin Huguet at Apple all declined via e-mail to comment.
Huguet pointed to previous remarks about privacy made by Apple Chief Executive Officer Tim Cook.
“If law enforcement wants something, they should go to the user and get it. It’s not for me to do it,” Cook told the Wall Street Journal in October. “We’re not Big Brother.”
Kevin Bankston, policy director of the New America Foundation’s Open Technology Institute in Washington, said in a phone interview that, “In an era of pervasive cybersecurity threats, it is dangerous and foolish for Prime Minister Cameron to demand that Internet companies engineer their products to have weaker security.”
Although the Federal Bureau of Investigation has raised concerns, the Obama administration hasn’t endorsed any specific legislation that would allow agencies to break encryption. Instead, FBI and other law enforcement officials have been discussing alternative approaches with Apple and Google.
“It is imperative that we properly balance the need for government intelligence agencies and national security agencies to have information” with privacy rights, White House spokesman Josh Earnest told reporters Thursday. Cameron has asked Nigel Sheinwald, former U.K. ambassador to Washington, to find ways of getting technology companies to share data with British authorities even though they’re mainly under U.S. jurisdiction.
Privacy advocates argue it isn’t realistic to prevent encrypted services from being used, and trying to will undermine security and harm the U.S. Internet economy.
“Creating a back door into technology products and services that are protected by encryption would be devastating to the security of individuals as well as many businesses around the world,” Harley Geiger, senior counsel for the Center for Democracy and Technology in Washington, said in a phone interview. “The proposal is as bad as it ever was.”
Meanwhile, New York Attorney General Eric Schneiderman has proposed what he called “the strongest” data security law in the nation to combat an increase in the theft of personal information online, including a breach at JPMorgan Chase & Co.
Schneiderman said he’ll propose a bill to legislators in Albany to expand the definition of private information to include e-mail addresses in combination with passwords or other data that would permit access to online accounts. It would also require companies that store information to have security measures in place, the attorney general said in a statement Thursday.