Experts: Obama's Calls for New Cybersecurity Laws a Good Start, but Nation Needs More

President Barack Obama has put the cybersecurity ball into Congress’ court, seeking legislation that pushes what some industry experts have clamored for in the quest to better protect the nation’s information network. The president unveiled details Tuesday for new laws toward better cybersecurity, which include a heavy focus on increased information sharing between government and industry. Some experts have said cybersecurity lacks a robust information-sharing plan between the private sector and government and the related safeguards to protect companies that share from prosecution. It's a good start, but not quite enough, some experts say.

“First, we’re proposing new cybersecurity legislation to promote the greater information sharing we need between the government and the private sector,” Obama said during his visit to the National Cybersecurity and Communications Integration Center in Arlington, Virginia. “This builds and improves upon the legislation that we’ve put forward in the past. It reflects years of extensive discussions with industry. It includes liability protections for companies that share information on cyberthreats. It includes essential safeguards to ensure that the government protects privacy and civil liberties, even as we’re doing our job of safeguarding America’s critical information networks.”

Pundits touted 2014 as the “year of the breach” after a spate of high-profile data breaches that hit big retailers and financial institutions; Monday, the Twitter and YouTube accounts of the U.S. Central Command were hacked by a pro-Islamic State militant group, prompting military officials to temporarily suspend the accounts.

A day after the CENTCOM breach, outgoing Defense Secretary Chuck Hagel said adversaries of the United States range from hostile nations to terrorist groups. “Nation states have some component of responsibility, some boundaries, but individuals and non-nation states don’t,” Hagel said while visiting with U.S. Marines in California.

“This is a cyberwar,” says Mike Lloyd, chief technology officer at the security analytics company RedSeal. “Seeing the rest of the world wake up to this and realize that we’re effectively fighting a very complex insurgency out there, with many many theaters of action, and we’re not coordinating our responses. From a military point of view, how stupid is that? That’s why there’s so much emphasis on sharing.”

In addition to better information-sharing initiatives, Obama seeks tougher laws to prosecute criminals. “We want to be able to better prosecute those who are involved in cyber attacks, those who are involved in the sale of cyberweapons like botnets and spyware, we want to ensure we are able to prosecute insiders who steal corporate secrets or individuals’ private information,” Obama stated. “We want to expand the authority of courts to shut down botnets and other malware. The bottom line, we want cybercriminals to feel the full force of American justice, because they are doing as much damage, if not more these days, as folks who are involved in more conventional crime.”

The administration’s reinvigorated efforts to get cybersecurity legislation passed include prompting companies to share with the Department of Homeland Security threat information, including Internet Protocol addresses, date and time stamps, and routing information.

The call for information sharing is a good first step, industry expert say, but it’s not quite enough. “Fighting a cyberwar—even a defensive one—requires the same three disciplines as a regular battle: you have to understand the terrain you’re fighting on, your own forces and the movements of the enemy,” Lloyd says. “The president’s proposal engages with the last of these problems—we need to share information, because no one defender can see what is going on, or which techniques are being used to attack other organizations, etc. This is a good step but is not enough. If organizations hope to benefit from timely intelligence information, they will need to understand their own defensive posture and readiness.”

Information sharing must be backed up with consequences if agencies or companies fail to comply, says Eric Chiu, president and co-founder at HyTrust, a cloud control company. “The recent privacy legislation announced by Obama is a good step toward enabling companies to better share information on security threats and ensure that consumers receive consistent privacy notification. However, like any legislation, this won't change how companies act unless there are real consequences and penalties.”

Lawmakers can turn to successful examples of the industry sector sharing information, which might be helpful to emulate, Lloyd offers. At the Financial Services Information Sharing and Analysis Center (FS-ISAC), for example, banks share information on breaches with enough detail to be beneficial, without giving away sensitive customer information.

Until now, a lack of clear-cut stipulations and fear stymied a full industry embrace of the information sharing notion—fear of sharing proprietary details, personnel data or criminal prosecution. If not done correctly, it could leave companies more vulnerable to information leaks and security holes that cybercriminals could exploit, cautions Adam Kujawa, head of malware intelligence at Malwarebytes. “However, when it is done correctly, and we all hope it is, then it’s a powerful tool to quickly fix security problems and contain an attack to only a single organization or less.”

Congress has tried to tackle the issue—before both chambers were controlled by the Republican Party. A Senate version of the Cybersecurity Information Sharing Act of 2014 seeks to expand information shared about cybersecurity threats and defensive mechanisms between government and industry. Language in the bill includes a call for increased sharing of classified and unclassified cyberthreat information; authorizing the voluntary sharing of cyberthreat information by individuals and companies with each other and the government while safeguarding personally identifying information; enacting liability protections for individuals and companies that appropriately monitor and safeguard their own networks; and limiting the government’s ability to use information it receives for cyber-related purposes, not for inappropriate investigations or regulation.

“The measure, however, doesn’t specifically address the needs for modernization. It makes some technical adjustments, but the whole concept is problematic,” says Lance Cottrell, chief scientist at Ntrepid. “National standards for breach reporting are long overdue. Right now your right to know if your information has been stolen depends on your state of residence, which is absurd. Broader and uniform reporting requirements keeps businesses accountable for their security, and allows everyone to know when they need to take special precautions to protect themselves, their data and their accounts.”