President Obama had some bold proposals for strengthening cybersecurity in his State of the Union address. I think we can all agree that cyber attacks and cybercrime are a serious threat to national security, commerce, individual privacy, and more. The devil is in the details, though, and getting a consensus for the best way to achieve those goals, or how to achieve those goals without causing more harm than good is a daunting challenge.
I spoke with a variety of security experts to get their thoughts on the cybersecurity initiatives proposed by President Obama:
President Obama called for strengthening cybersecurity and privacy protection in his State of the Union speech Tuesday.Most security experts agree with the President’s overall goals, but warn of potential unintended consequences that could do more harm than good.
A vision for stronger cybersecurity
The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies’ weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they’re not necessarily the more urgent ones. [inlinetweet prefix=”” tweeter=”” suffix=””]Security experts disagree on how—or whether—these goals can even be achieved.[/inlinetweet]
Gary Steele, CEO at Proofpoint, said, “The President’s inclusion of cybersecurity as a topic in his speech is further validation of the critical importance of this issue across all industries and sectors, public and private. As regards his specific proposals, it is absolutely the role of the government to legislate consumer protection—but not corporate security strategy. Legislation cannot evolve as quickly as the threat landscape.”
Reforming existing security rules
“From the point of view of a company that is subject to notifying the public of breaches, I can say it would be a breath of fresh air to have a single, consolidated, and consistent regulation to deal with,” declared Mark Kraynak, Chief Product Officer, Imperva. “But from a practical industry perspective, if there’s any value to breach notifications, it’s already been realized by the plethora of overlapping state and international laws.”
Tripwire CTO Dwayne Melancon also suggested starting with some clarification of the existing rules and requirements. “Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions?”
Melancon added that the lack of clarity also hampered corporate risk assessment around cybersecurity policy and practices. “None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source,” Melancon said. “This means that it’s difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven’t been breached to accurately assess business risks.”
Read the full story at PCWorld: Obama supports cybersecurity and privacy, but experts warn of unintended impacts.