Security Experts React to President's Cybersecurity Proposals

Information security experts today praised the attention U.S. President Barack Obama is lavishing on cybersecurity, but have some concerns about how proposed legislation will be implemented and enforced while others say the proposals don't go far enough.

In a speech at the U.S. Federal Trade Commission (FTC) today -- marking the first time a U.S. president has come to the FTC since Franklin Delano Roosevelt's visit in 1937 -- Obama proposed legislation that would require companies to notify consumers that their personal information has been compromised within 30 days of the discovery of a data breach. The legislation would also enhance law enforcement's capability to pursue those who trade in stolen identities, even overseas.

"If we're going to be connected, then we need to be protected," Obama said. "As Americans, we shouldn't have to forfeit our basic privacy when we go online to do business."

Obama said he will also reintroduce the Consumer Privacy Bill of Rights and introduce another piece of legislation that would ban educational software providers from using the data they collect from students for marketing purposes.

"Data collected on students in the classroom should only be used for educational purposes -- to teach our children, not to market to our children," Obama said.

Obama intends to detail the proposals in his State of the Union speech next week.

Information security experts were quick to embrace the president's focus on these issues.

"I think it's really positive that the issues around cybersecurity are getting this level of attention and scrutiny," says Ken Levine, president and CEO of data loss prevention specialist Digital Guardian. "Certainly the industry getting together and sharing vital information is an important step in the right direction. Recognizing that protecting consumer information is a step in the right direction."

The Risks of Over-Reporting

"It's really good news that our federal government is preempting state law, specifically with the requirement to notify data breach victims in a set time period," adds Larry Ponemon, founder and chairman of the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy. "Companies have had a hard time managing the various state laws because there are 46 or 47 of them. It's actually a good thing to have one set of rules for notification."

However, Ponemon is somewhat concerned about the idea of mandating a strict 30-day notification window. For the past nine years, the Ponemon Institute has conducted annual studies on the cost of data breaches. It has found that rapid notification can increase the cost of data breaches by an average of $7 per record.

"On the negative side, there is definitely a cost to reporting early," Ponemon says. "Consumers that receive a notification that their data has been lost or stolen get very angry if they later get a notification that they were notified in error."

Ponemon has found that the loss of customer loyalty does the most damage to a company's bottom line in the wake of a data breach. Companies typically need to spend heavily to regain their brand image and acquire new customers. Pharmaceutical companies, financial services firms and healthcare organizations often see the worst churn in these cases.

Companies should be required to notify victims when their data has been compromised, Ponemon says, but responding too quickly drastically increases the chances that customers that weren't affected will be notified that they were.

"People want to know what they need to worry about," he says. "But over-reporting is a problem. A lot of organizations have made a decision to over-report the size of a data breach. That's a bad strategy. It makes consumers worry unnecessarily and leads to a higher number of people that will churn or end their relationship with the company because they no longer believe the company is responsible with their data.

In addition, Ponemon notes that once a data breach has been detected, it can take months or even as much as a year to determine whether data has been lost or stolen as cybercriminals often work hard to cover their tracks.

"Thirty days may be an appropriate time to notify in many cases, but there needs to be a carve out for the law -- in the event that early notification will hinder the investigation, maybe they get a little more time before they have to notify. Once you notify, you tip your hand to the bad guys."

Digital Guardian's Levine is a bit more sanguine about the 30-day window.

"Sometimes it's difficult to do a full investigation in that period of time," he says. "But I think there needs to be better acceleration of notification. I think it demonstrates that better data security is important."

Ponemon also praises the Consumer Privacy Bill of Rights, noting, "Anything that elevates privacy as a social priority is a good thing."

On Tuesday, the president will appear at the National Cybersecurity and Communications Integration Center, where is expected to discuss measures to increase cybersecurity information sharing between private sector firms and the government.

Close But Not Enough

"We are delighted that the administration will not only be enhancing the incentives for information sharing, but reviewing the entire information sharing architecture which is stuck in a 20th century industrial model," says Larry Clinton, president and CEO of the Internet Security Alliance (ISA) trade association, which the administration briefed on its proposals on Friday.

Clinton says a key problem with today's information sharing structure is an inability to reach small and mid-sized organizations with actionable information. He notes that ISA has suggested an alternative cross-sector model that leverages economies of scope and scale to make it easier and cheaper for small firms to fend off cyberattacks.

Clinton says he is also heartened by proposals to make it easier for law enforcement to pursue cybercriminals, adding that government has spent too much time and effort blaming the victims.

"We also welcome the administration's, and we hope Congress's, new focus on cybercrime, he says. "While protecting critical infrastructure from catastrophic cyberattack is obviously important, 95 percent of all cyberattacks are economic in nature -- mostly theft -- yet we successfully prosecute less than two percent of cybercriminals. Policy makers have spent too much time and rhetoric blaming the victims of cyberattacks and not nearly enough empowering and resourcing our law enforcement agents to go after the criminals themselves."

In the end, Clinton says the president's proposals are a good first step, but don't go far enough.

"The steps being announced this week are good, but not nearly enough," he says. "Our cyber platform is inherently weak and getting weaker with the explosion of mobile devices and the Internet of Things. The attackers are getting better as techniques confined to nation states a few years ago are now being used by common criminals. Finally all the economics of cybersecurity favor the bad guys," Clinton says.

"Attacks are easy and cheap to access and profit margins are tremendous,"

Clinton says. "On the other hand, defense is hard, a generation behind the attackers and law enforcement is currently inadequate. Better information sharing would be good, but no one should think that is anywhere near enough to address our growing cybersecurity problems."

Join the CSO newsletter!

Error: Please check your email address.

Tags Federal Trade CommissionU.S. Federal Trade Commissionsecurityftc

More about BillFederal Trade CommissionFTCInternet Security Alliance

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place