President Obama called for strengthening cybersecurity and privacy protection in his State of the Union speech Tuesday. Most security experts agree with the President's overall goals, but warn of potential unintended consequences that could do more harm than good.
A vision for stronger cybersecurity
The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies' weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they're not necessarily the more urgent ones. Security experts disagree on how--or whether--these goals can even be achieved.
Gary Steele, CEO at Proofpoint, said, "The President's inclusion of cybersecurity as a topic in his speech is further validation of the critical importance of this issue across all industries and sectors, public and private. As regards his specific proposals, it is absolutely the role of the government to legislate consumer protection--but not corporate security strategy. Legislation cannot evolve as quickly as the threat landscape."
Reforming existing security rules
"From the point of view of a company that is subject to notifying the public of breaches, I can say it would be a breath of fresh air to have a single, consolidated, and consistent regulation to deal with," declared Mark Kraynak, Chief Product Officer, Imperva. "But from a practical industry perspective, if there's any value to breach notifications, it's already been realized by the plethora of overlapping state and international laws."
Tripwire CTO Dwayne Melancon also suggested starting with some clarification of the existing rules and requirements. "Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions?"
Melancon added that the lack of clarity also hampered corporate risk assessment around cybersecurity policy and practices. "None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source," Melancon said. "This means that it's difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven't been breached to accurately assess business risks."
Robert Hansen, VP of WhiteHat Labs at WhiteHat Security, was less than enthusiastic about Obama's cybersecurity proposals. "While it's understandable that the American population wants to take a stand against computer crime, what the President is proposing to enact into law would have made no difference in the Sony case."
Hansen suggested that the technologies being recommended to protect a free and open Internet will actually make government censorship easier, and have a chilling effect on benign computer security research--efforts by researchers like those at WhiteHat Labs designed to proactively identify vulnerabilities and exploits in order to protect the American public. Businesses may move out of the United States for fear of public backlash if they are required to disclose that they have been breached.
Chris Doggett, managing director for Kaspersky Lab North America, agreed that any legislation enacted shouldn't end up prohibiting the techniques and methods used by legitimate security researchers, security consulting companies, and security vendors. He warns that we can't "handcuff" the very people and organizations we rely on to defend us from the cybercriminals.
Doggett also stressed that mandated information sharing could do more harm than good. "It should not cross-over into the area of broad-reaching surveillance (in conflict with our right to privacy), nor should regulations be enacted that force information disclosures which compromise criminal investigations. And of course, we must safeguard against information being disclosed which causes incremental damage to the victims of the attacks or unduly punishes those who are not our true adversaries in the battle against cybercrime."
Stay calm and keep secure
Cybersecurity plays an integral role in the safety and economic stability of our nation. It's about time that cybersecurity be treated as a higher priority, and that we start to find ways for the public and private sector to work together for better security. Finding a politically acceptable common ground that actually has a chance of impacting cybersecurity is a virtually impossible task, though.
It's important for people to be informed about what the government is planning, and to speak up to their elected officials if they disagree with proposed legislation. Tim Erlin, director of IT security and risk strategy at Tripwire, cautions against freaking out prematurely, though. "Rhetoric is just that, and the cybersecurity industry as a whole should be cautious about Obama's proposals. Until they make their way through the muck and mire of Congress, they remain merely ideas aspiring to become reality."