Barack Obama wants to prod corporations into addressing their cybersecurity weaknesses and he used his State of the Union speech Tuesday night to do just that.
Obama also placed responsibility for inaction and any damage from future attacks on the shoulders of a deeply divided, partisan Congress. His proposals are still largely shapeless. But if Congress doesn’t help develop an aggressive plan and if companies are then hit by waves of serious cyberattacks - as the most pessimistic security professionals believe will happen this year - Republicans and Democrats alike may come under fire.
Online security wouldn’t have warranted presidential attention in the past, but in the wake of the Sony hack, corporate America is grappling with the destructive power of a serious breach. Cybersecurity
Experts have warned for months that corporate hackers are using techniques once reserved for nation-state level warfare and they say an attack on the nation’s largest businesses could disrupt commerce, livelihoods and workers’ morale.
In his written speech, Obama said:
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
These remarks echo proposals that the president floated before his State of the Union speech. He recently pressed Congress to provide liability protection for companies that share threat information with one another and to force corporations to notify customers within 30 days of discovering any breach involving data theft.
Obama’s proposed legislative package also allows the government to prosecute the sale of “botnets” (networks of computers used to send viruses and overwhelm other systems with spam). It expands legal oversight over spyware that’s used by stalkers and identity thieves, and prohibits companies from using student data for anything other than education.
The Obama ideas with the most potential to bolster corporate security are his threat-sharing measure and the corporate disclosure rule.
Collaboration is considered to be one of the best defenses against cybercrime, but a recent PricewaterhouseCoopers survey found that only 25 percent of businesses currently share information about attacks. Obama wants to encourage companies to share threat data with the government in order to get liability protection.
“We need specific mandates that establish controls on the type of data shared to ensure it both accurately reflects the attack while simultaneously protecting citizens’ rights under the Fourth Amendment,” says Joe Eandi, the chief executive of the cybersecurity startup Vorstack.
The disclosure rule isn’t useful because it increases security per se, but because it gives companies an incentive to pre-emptively beef up their defenses.
As Sumit Agarwal, a former Defense Department advisor and co-founder of a startup, Shape Security, put it: “Companies don’t like to be embarrassed, and being forced to notify customers every time they’re breached will hopefully cause them to take (preventive) steps.”
Corporations like Sony have proven that they’re reluctant to follow best security practices until disaster strikes, which is why the president’s proposals are important even if they’re still nascent.
Industry experts say that past attempts at government regulation have prodded the private sector to self-regulate and lessened the need for government intervention. Hopefully the trend will continue and businesses will raise their game even if Congress doesn’t act.
In the end, of course, it’s corporate America’s responsibility to take security seriously and protect their data - and ours. That task shouldn’t be dumped off on the government. At best, legislation might motivate and shame businesses into doing the right thing. Or maybe it will require another massive cyber-attack on a corporation to move things along.
Katie Benner is a tech columnist with Bloomberg View.