(Bloomberg View) — President Barack Obama wants to prod corporations into addressing their cybersecurity weaknesses and he used his State of the Union speech to do just that.
Obama also placed responsibility for inaction and any damage from future attacks on the shoulders of a deeply divided, partisan Congress. His proposals are still largely shapeless. But if Congress doesn't help develop an aggressive plan and if companies are then hit by waves of serious cyberattacks — as the most pessimistic security professionals believe will happen this year — Republicans and Democrats alike may come under fire.
Online security wouldn't have warranted presidential attention in the past, but in the wake of the Sony hack, corporate America is grappling with the destructive power of a serious breach. Cybersecurity experts have warned for months that corporate hackers are using techniques once reserved for nation-state level warfare and they say an attack on the nation's largest businesses could disrupt commerce, livelihoods and workers' morale.
In his written speech, Obama said:
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information. If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.
These remarks echo proposals that the president floated prior to his State of the Union speech. He recently pressed Congress to provide liability protection for companies that share threat information with one another and to force corporations to notify customers within 30 days of discovering any breachinvolving data theft.
Obama's proposed legislative package also allows the government to prosecute the sale of "botnets" (networks of computers used to send viruses and overwhelm other systems with spam). It expands legal oversight over spyware that's used by stalkers and identity thieves, and prohibits companies from using student data for anything other than education.
The Obama ideas with the most potential to bolster corporate security are his threat-sharing measure and the corporate disclosure rule.
As I've written before, collaboration is considered to be one of the best defenses against cybercrime, but a recent PricewaterhouseCoopers survey found that only 25% of businesses currently share information about attacks. Obama wants to encourage companies to share threat data with the government in order to get liability protection.
"We need specific mandates that establish controls on the type of data shared to ensure it both accurately reflects the attack while simultaneously protecting citizens' rights under the Fourth Amendment," says Joe Eandi, the chief executive of the cybersecurity startup Vorstack.
The disclosure rule isn't useful because it increases security per se, but because it gives companies an incentive to pre-emptively beef up their defenses.
As Sumit Agarwal, a former Defense Department advisor and co-founder of a startup, Shape Security, put it: "Companies don't like to be embarrassed and being forced to notify customers every time they're breached will hopefully cause them to take [preventive] steps."
Corporations like Sony have proven that they're reluctant to follow best security practices until disaster strikes, which is why the president's proposals are important even if they're still nascent.
Industry experts say that past attempts at government regulation have prodded the private sector to self-regulate and lessened the need for government intervention. Hopefully the trend will continue and businesses will raise their game even if Congress doesn't act.
In the end, of course, it's corporate America's responsibility to take security seriously and protect theirdata – and ours. That task shouldn't be dumped off on the government. At best, legislation might motivate and shame businesses into doing the right thing. Or maybe it will require another massive cyber-attack on a corporation to move things along.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
