President Obama’s next-to-last State of the Union Address this evening is expected to be the forum for announcing extensive cybersecurity readiness policies, including cybersecurity information sharing, data breach reporting, establishing a consumer privacy bill of rights and more.
The president is expected to outline his vision for cybersecurity and call on Congress to take action on a sweeping proposal on data breaches, hacking and information sharing, which he unveiled last week as a preview of tonight’s policy outline. But the info-sharing piece will likely be a centerpoint for the topic this evening.
Right now, the Department of Homeland Security (DHS) uses Information Sharing and Analysis Centers, or ISACs, as information clearinghouses to work with industry on a vertical-by-vertical basis. Now, it’s time for a transition to what the president calls Information Sharing and Analysis Organizations, or ISAOs, which would be set up to be more horizontal, oriented around regions, topics, incidents and the like—and they can even be created and dismantled as needed, on an ad hoc basis.
“We want not to restrict our relationship to the private sector to the sector-based organizations,” a senior administration official told Politico. There are “undefined frontiers that we are very much interested in exploring with the private sector.”
So, DHS will soon be tasked with developing an ISAO best practices guide, the official said.
“Neither government nor the private sector can defend the nation alone,” the president said Tuesday afternoon during a visit to the National Cybersecurity and Communications Integration Center in Arlington, Va. “It’s going to have to be a shared mission—government and industry working hand in hand.”
Obama is also expected to position cybercrime as the frontier of law enforcement, highlighting that there is a real need for organizations and governments to share their intelligence with one another in order to fight back against cybercriminals.
“We want cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime,” he said on Tuesday.
Many applaud the efforts of the president in dragging cybersecurity into the light as a space in which the government should take the initiative. However, Chris Doggett, managing director at Kaspersky Lab North America, noted that there is always a risk that ineffective or overly burdensome legislation will do more harm than good.
“There is a reasonably high risk of this due to the complexity of the issues, the relative lack of understanding of the cybersecurity space, and the rapid evolution and sophistication of the threats that we are up against,” he told Infosecurity. “In addition, we must avoid inadvertently penalizing those we are trying to protect (consumers, businesses, etc.), either by infringing on their rights to privacy, hampering a law enforcement investigation, or by negatively impacting innovation or the economy on the whole.”
The annual address to the nation comes on the heels of a busy few days in the government cyber-world. And, last week, Obama and UK Prime Minister David Cameron agreed to further strengthen and deepen the cybersecurity cooperation between their two countries, with a range of collaborative cyber-initiatives that include staging “war games” to test bank readiness.
And during a joint press conference with Cameron from the White House’s Oval Office on Friday, Obama noted the need to balance privacy needs with the US’s “ability to operate in cyberspace” with a rational, consistent framework. He also noted the role of tech companies, who would be called upon to establish back doors into customer accounts if governments were allowed to snoop inside encrypted communications. Businesses would need to be able to fulfill their pledges to their customers.