Breach Notification , Governance & Risk Management , Incident & Breach Response
Obama to Congress: Enact Cybersecurity Laws
President Warns of a Nation Vulnerable Without New StatutesPresident Obama urged Congress in his State of the Union address to pass legislation to better meet the evolving cyberthreat, but spent very little of the speech explaining its dangers or detailing his cybersecurity legislative agenda.
See Also: Gartner Market Guide for DFIR Retainer Services
Indeed, of the 6,766 words in the Jan. 20 address, only 113 dealt with cybersecurity:
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids. So we're making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism.
"And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft and protect our children's information. That should be a bipartisan effort. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
NSA Spying Report Coming
That's all the president said on his cybersecurity agenda. However, when addressing the battle against terrorism, the president referenced the National Security Agency's bulk-collection program.
"As Americans, we cherish our civil liberties, and we need to uphold that commitment if we want maximum cooperation from other countries and industry in our fight against terrorist networks," Obama said. "So while some have moved on from the debates over our surveillance programs, I have not. As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse. And next month, we'll issue a report on how we're keeping our promise to keep our country safe while strengthening privacy."
During the address, when he proposed action on his cybersecurity legislative package, members of Congress from both sides of the aisle gave Obama a standing ovation. Unlike immigration or tax reform, cybersecurity is an area where Republicans, who control both houses of Congress, and the Democratic president have general agreement, although they've differed on the details of the legislation.
Time Doesn't Equate Significance
Administration officials in the past have said that mere mention of cybersecurity in the State of the Union address signifies its importance as a White House priority and cautioned against equating the amount of time devoted to the topic in the speech with its significance.
In fact, the president's actions in recent days demonstrate his commitment to get Congress to enact his cybersecurity legislative agenda. Obama spent a good part of the previous week promoting his cybersecurity agenda, which includes encouraging businesses to share cyberthreat information with the government and other businesses and nationalizing data breach notification.
The new chairman of the House Intelligence Committee applauded Obama's acknowledgement for the need of cyberthreat sharing legislation. "Although the House of Representatives passed a cybersecurity bill in the last Congress, our efforts died in the Senate amid a presidential veto threat," said Rep. Devin Nunes, R-Calif. "So I welcome the President's recognition tonight of the urgent need for legislation to counter the growing menace of cyberattacks."
Privacy and Liability Protections
The White House twice threatened to veto the House-passed Cyber Intelligence Sharing and Protection Act, known as CISPA, because it contended that it didn't provide enough privacy protection to citizens' data and offered too broad of liability protections to businesses. A senior administration official said in a briefing last week that the president's proposal would offer targeted liability protection to businesses that share cyberthreat information. The president's plan also would safeguard Americans' personal privacy by requiring businesses to comply with certain privacy restrictions, such as removing unnecessary personal information and taking measures to protect any personal information that must be shared, in order to qualify for liability protection.
Sen. Tom Carper, the ranking member of the Senate Homeland Security and Governmental Affairs Committee, endorsed Obama's cyberthreat information sharing plan. "It is essential that any information-sharing bill strike an appropriate balance between the ability to share necessary data and to protect privacy and civil liberties," said Carper, D-Del. "Congress must act quickly to heed the president's call and bring forth information-sharing legislation in the face of the growing and evolving cyberthreat."
Obama, in outlining his plan to nationalize data breach notification in a Jan. 12 speech at the Federal Trade Commission, said it would require businesses to notify consumers within 30 days of a breach. If enacted, the Personal Data Notification and Protection Act would pre-empt 47 state data breach notification statutes. In the FTC speech, Obama outlined new steps by the government to assist victims of identity theft, including supporting the Federal Trade Commission in its development of a new one-stop resource for victims at IdentityTheft.gov and expanding information sharing to ensure federal investigators' ability to regularly report evidence of stolen financial and other information to companies whose customers are directly affected.
Businesses Encouraged by President's Remarks
Several business groups said they are encouraged by the president's remarks, but warned that legislation itself won't resolve the security challenges faced in cyberspace. "No single technology is the answer and tonight's speech is merely the beginning of the discussion in 2015 on data security," said Stephen Orfei, general manager of the PCI Security Standards Council. "We cannot fall into the trap of thinking there's a silver bullet, there isn't. A collaborative and vigilant effort between government and the private sector is the only way forward."
Ron Gula, chief executive of Tenable Network Security, said the president's 30-day breach notification plan won't suddenly make the country's networks more secure. "Only sound security practices can do that," he said. "But it will simplify the rules and that's a good start. After a data breach like the one experienced by Sony, organizations are faced with one of the worst decisions they will ever have to make. Replacing dozens of state laws with one federal law will help make that decision easier."
But the advocacy group Center for Democracy and Technology has raised concerns about a national data breach law. "Because many businesses operate nationwide, they tend to follow the strictest state laws for simplicity's sake, meaning that consumers nationwide tend to benefit from the most robust state laws," Center Policy Counsel G.S. Hans said. "A federal law could supersede all the state laws, thus weakening protections for most Americans."
Safeguarding Students
Another measure proposed by Obama last week would ensure that data collected about students in schools be used only for educational purposes and not be sold to third parties unrelated to an educational mission.
Among Obama's legislative proposals is one that would strengthen law enforcement to combat cybercrime. If enacted, the measure would allow the prosecution of those who sell botnets; expand federal law enforcement authority to deter the sale of spyware used to stalk or commit identity theft; and give courts the authority to shut down botnets engaged in distributed denial-of-service attacks and other criminal activity.
It also would apply to cybercriminals the Racketeering Influenced and Corrupt Organizations Act, the statute known as RICO that government lawyers use to prosecute those involved in organized crime, as well as clarify the penalties for computer crimes and ensure these penalties are in line with other similar non-cybercrimes.