Obama supports cybersecurity and privacy, but experts warn of unintended impacts

Calls for better information sharing and data breach reporting could hamper innovation or infringe on privacy, experts caution.

President Obama called for strengthening cybersecurity and privacy protection in his State of the Union speech Tuesday. Most security experts agree with the President's overall goals, but warn of potential unintended consequences that could do more harm than good.

A vision for stronger cybersecurity

The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies' weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they're not necessarily the more urgent ones. Security experts disagree on how--or whether--these goals can even be achieved.

Gary Steele, CEO at Proofpoint, said, "The President's inclusion of cybersecurity as a topic in his speech is further validation of the critical importance of this issue across all industries and sectors, public and private. As regards his specific proposals, it is absolutely the role of the government to legislate consumer protection--but not corporate security strategy. Legislation cannot evolve as quickly as the threat landscape."

Reforming existing security rules

"From the point of view of a company that is subject to notifying the public of breaches, I can say it would be a breath of fresh air to have a single, consolidated, and consistent regulation to deal with," declared Mark Kraynak, Chief Product Officer, Imperva. "But from a practical industry perspective, if there's any value to breach notifications, it's already been realized by the plethora of overlapping state and international laws."

Tripwire CTO Dwayne Melancon also suggested starting with some clarification of the existing rules and requirements. "Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions?"

Melancon added that the lack of clarity also hampered corporate risk assessment around cybersecurity policy and practices. "None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source," Melancon said. "This means that it's difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven't been breached to accurately assess business risks."

Robert Hansen, VP of WhiteHat Labs at WhiteHat Security, was less than enthusiastic about Obama's cybersecurity proposals. "While it's understandable that the American population wants to take a stand against computer crime, what the President is proposing to enact into law would have made no difference in the Sony case."

Hansen suggested that the technologies being recommended to protect a free and open Internet will actually make government censorship easier, and have a chilling effect on benign computer security research--efforts by researchers like those at WhiteHat Labs designed to proactively identify vulnerabilities and exploits in order to protect the American public. Businesses may move out of the United States for fear of public backlash if they are required to disclose that they have been breached.

Chris Doggett, managing director for Kaspersky Lab North America, agreed that any legislation enacted shouldn't end up prohibiting the techniques and methods used by legitimate security researchers, security consulting companies, and security vendors. He warns that we can't "handcuff" the very people and organizations we rely on to defend us from the cybercriminals.

Doggett also stressed that mandated information sharing could do more harm than good. "It should not cross-over into the area of broad-reaching surveillance (in conflict with our right to privacy), nor should regulations be enacted that force information disclosures which compromise criminal investigations. And of course, we must safeguard against information being disclosed which causes incremental damage to the victims of the attacks or unduly punishes those who are not our true adversaries in the battle against cybercrime."

Stay calm and keep secure

Cybersecurity plays an integral role in the safety and economic stability of our nation. It's about time that cybersecurity be treated as a higher priority, and that we start to find ways for the public and private sector to work together for better security. Finding a politically acceptable common ground that actually has a chance of impacting cybersecurity is a virtually impossible task, though.

It's important for people to be informed about what the government is planning, and to speak up to their elected officials if they disagree with proposed legislation. Tim Erlin, director of IT security and risk strategy at Tripwire, cautions against freaking out prematurely, though. "Rhetoric is just that, and the cybersecurity industry as a whole should be cautious about Obama's proposals. Until they make their way through the muck and mire of Congress, they remain merely ideas aspiring to become reality."

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuirtyGovernment use of ITproofpointregulationsecuritydata breachthreat intelligenceObama Administrationlegislationgovernment

More about ImpervaKasperskyProofpointSonyTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts