After an onslaught of digital attacks inflicted critical wounds upon Sony, Westinghouse, Home Depot and scores of other businesses and consumers last year, President Barack Obama has renewed a call for legislation to shore up the nation’s cyber defenses.
But while local and national experts say the proposal is a necessary step that could slow some attacks, they caution that it doesn’t go far enough in stopping cyberattacks, particularly those on critical infrastructure.
The president’s proposal calls for a law requiring companies to notify consumers of a data breach within 30 days of discovery, makes it illegal to sell botnets (malicious software designed to control computers remotely) and allows law enforcement to pursue criminals selling stolen financial information overseas.
The proposal, which is expected to be part of today’s State of the Union, reiterates a 2011 call to make cybercrime punishable under the Racketeering Influenced and Corrupt Organizations Act and aims to shield companies that share data breach information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center from liability.
This time — unlike the past three years when similar legislation languished in Congress — the president’s proposals tie into a bipartisan bill that should pass the Senate this summer, according to Sen. Harry Reid, D-Nev.
“The security of our computer networks is woefully inadequate, and the threats against them are growing more sophisticated each day,” Mr. Reid said in a statement on his website. “It is time to create the proper authorities and enhance the tools to protect the computer networks that are so crucial to our daily lives.”
While Mr. Obama’s move has garnered support from the U.S. Chamber of Commerce, the National Retail Federation and several other public and private stakeholders, industry experts say it won’t stop the barrage of cyberattacks.
“Absolutely not,” said Albert Whale, founder and chief security officer of Ross-based cybersecurity firm ITSecurity. “Proposals don’t get work done.
“However [the proposal] may be enough for executives and companies to finally spend the money to get started. We have to start somewhere; any first step we take is a step in the right direction.”
Mr. Whale, co-founder and sponsor of the Pittsburgh FBI InfraGard — a program that promotes discussion between the private and public sector regarding critical infrastructure protection — said the proposals are long overdue, but while preventing the sale of botnets and prosecuting criminals who sell personal information overseas could slow the frequency of attacks, it won’t prevent criminals from finding pathways into unprotected systems.
Critical infrastructure such as systems operating electrical grids or nuclear facilities wouldn’t gain significant protection under the president’s proposal, according to Joe Weiss, managing partner of San Francisco industrial control systems cybersecurity firm Applied Control Solutions, LLC.
Mr. Weiss, who has worked in industrial instrumentation controls and automation for more than 30 years and in cybersecurity for more than a decade, said the proposed legislation focuses on protecting information technology systems and personal information far more than protecting physical systems.
“This is reinforcing the concept that cybersecurity is strictly a confidentiality problem and not a problem that could affect physical things like electric grids, pipelines — you name it — where equipment could be damaged or people killed,” he said.
True protection of critical infrastructure, according to Mr. Weiss, would require collaboration with international entities that share the same control systems equipment as the U.S.; a mandatory cybersecurity framework followed by all entities involved with critical infrastructure systems; strong protection of information surrounding hacks shared with the Department of Homeland Security; and a sincere effort from private companies to secure their own networks.
However, considering that Mr. Weiss believes Homeland Security dropped the ball last July by releasing classified information about a test that destroyed a diesel generator by hacking into the system (a charge that the department denied), he’s not encouraged by the idea of private companies reporting to the agency.
He’s also not convinced that private stakeholders will make the necessary financial investment to protect against a critical infrastructure hack, since no U.S. company has directly tied any physical damages to cyber activity.
“People have a tendency to not believe this is real. It’s all hypothetical, like you’d see it on TV but it could never really happen. So there’s a reticence to want to spend money on something they don’t want to believe is real,” Mr. Weiss said. “If you don’t believe it’s real, any money is too much money.”
On the consumer side, any reluctance to spend money on cybersecurity might put companies at a competitive disadvantage, Mr. Whale said.
Noting that the proposal to require that consumers be notified about data breaches within 30 days of discovery might not be enough to protect all bank accounts, he said it will give consumers a better idea of which companies aren’t doing enough to protect themselves.
“If you get one or two of these notifications, are you going to continue to do business with an organization that can’t stay protected? I think it gives the consumer a clear choice of where to spend their money,” Mr. Whale said.
Deborah M. Todd: firstname.lastname@example.org, 412-263-1652 or on Twitter @deborahtodd.