The White House made a renewed push Tuesday for cybersecurity legislation, asking the new Congress to revive the legislative initiatives that have been stalled over the past few years.
In a speech at the Federal Trade Commission earlier today, President Obama unveiled the comprehensive measure, which includes enabling cybersecurity information sharing, modernizing law enforcement to better combat cybercrime and national data breach reporting reforms.
Among the items is the first federal standard for data breach notification, the Personal Data Notification and Protection Act, which will require companies to inform customers within 30 days of discovery that their personal information may have been exposed to hackers. The move comes only weeks after the notorious Sony Pictures breach, which rattled consumers, business leaders and policymakers, causing many to call for tougher reform and regulation around breach notification laws.
The proposal would also would criminalize the sale of stolen financial data, and allow increased sharing of information on cyber-threats from the private sector, with protection from liability. Those indicators of cyber-threats would immediately be shared with other government agencies like the DHS, FBI, NSA, and Secret Service, as well as private-sector information sharing and analysis organizations (ISAOs) and centers (ISACs).
Overall, the package “promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector,” according to a White House statement.
The news was largely greeted with positive feedback—although the devil, as always, will be in the details. The retail industry, is arguably the hardest hit in the data breach epidemic.
“Collaboration between industry and government to share threat information is crucial in the fight against sophisticated and persistent cybercriminals,” said Nicholas Ahrens, vice president for cybersecurity and data privacy at Retail Industry Leader’s Association (RILA). “Retailers have made great strides setting up the Retail Cyber Intelligence Sharing Center (R-CISC) and facilitating threat information-sharing, both within the industry and also with the government. We look forward to continuing to coordinate with the NCCIC in the fight to protect customers from cybercriminals.”
The National Consumers League (NCL) meanwhile applauded the effort, sending out a statement to media saying that it has supported a strong national data breach notification standard, modeled after state law in California, which would set a national floor for breach notification without preempting stronger state laws. NCL has also called on Congress to strengthen civil and criminal penalties for malicious hacking and criminalize the overseas trade in stolen identities.
“The threat of criminal hacking is eroding consumers’ faith in our interconnected digital economy,” said Sally Greenberg, NCL executive director. “We must not allow the immense benefits of our information revolution to fall victim to those who would steal consumers’ personal data for their own gain. The President’s proposal for a national data breach notification standard is an important step forward in giving consumers more control over their data, but there is much more to do. We look forward to learning more about the Administration’s proposal so that consumers will benefit from the strongest possible protections.”
As for cybersecurity experts, there’s little complaint in the community other than the fact that the proposal may not go far enough.
“Fighting a cyber-war – even a defensive one – requires the same three disciplines as a regular battle: you have to understand the terrain you’re fighting on, your own forces, and the movements of the enemy,” said Mike Lloyd, CTO at RedSeal. “The President’s proposal engages with the last of these problems – we need to share information, because no one defender can see what is going on, or which techniques are being used to attack other organizations, etc. This is a good step, but is not enough. If organizations hope to benefit from timely intelligence information, they will need to understand their own defensive posture and readiness.”
“Like any legislation, this won't change how companies act unless there are real consequences and penalties,” said Eric Chiu, president and co-founder at HyTrust, in an email. “Also, with breaches happening more frequently and the damage getting bigger — especially when the primary threat is coming from the inside — this legislation will do little to slow down or stop the real threat. Ultimately, companies need to stop viewing security as an insurance plan; instead, they need to think of security as a part of doing business. Until that happens, we will continue to see these breaches take place.”
“It is critical companies have the tools they need to battle cybercriminals and shield customers from breaches. Strong information sharing laws will be a critical part of that winning that battle," said Tim Pawlenty, president and CEO of the Financial Services Roundtable (FSR), in a note to Infosecurity. "Cybercriminals, hactivists and terrorists aren’t resting and neither should Congress.”
Both chambers of Congress have addressed information sharing legislation in the last year, but the bills failed to become law.