President Obama called for strengthening cybersecurity and privacy protection in his State of the Union speech Tuesday. Most security experts agree with the President's overall goals, but warn of potential unintended consequences that could do more harm than good.
A vision for stronger cybersecurity
The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies' weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they're not necessarily the more urgent ones. Security experts disagree on how--or whether--these goals can even be achieved.
Gary Steele, CEO at Proofpoint, said, "The President's inclusion of cybersecurity as a topic in his speech is further validation of the critical importance of this issue across all industries and sectors, public and private. As regards his specific proposals, it is absolutely the role of the government to legislate consumer protection--but not corporate security strategy. Legislation cannot evolve as quickly as the threat landscape."
Reforming existing security rules
"From the point of view of a company that is subject to notifying the public of breaches, I can say it would be a breath of fresh air to have a single, consolidated, and consistent regulation to deal with," declared Mark Kraynak, Chief Product Officer, Imperva. "But from a practical industry perspective, if there's any value to breach notifications, it's already been realized by the plethora of overlapping state and international laws."
Tripwire CTO Dwayne Melancon also suggested starting with some clarification of the existing rules and requirements. "Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions?"
Melancon added that the lack of clarity also hampered corporate risk assessment around cybersecurity policy and practices. "None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source," Melancon said. "This means that it's difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven't been breached to accurately assess business risks."
Robert Hansen, VP of WhiteHat Labs at WhiteHat Security, was less than enthusiastic about Obama's cybersecurity proposals. "While it's understandable that the American population wants to take a stand against computer crime, what the President is proposing to enact into law would have made no difference in the Sony case."
Hansen suggested that the technologies being recommended to protect a free and open Internet will actually make government censorship easier, and have a chilling effect on benign computer security research--efforts by researchers like those at WhiteHat Labs designed to proactively identify vulnerabilities and exploits in order to protect the American public. Businesses may move out of the United States for fear of public backlash if they are required to disclose that they have been breached.
Sign up for Computerworld eNewsletters.