2014, the year of the cyber breach—think Target, Heartbleed, Home Depot, JP Morgan Chase, and, yes, Sony—has unsurprisingly led the United States to where it is today: with a president willing to move the conversation about cybersecurity to the forefront of politics. Last week, President Obama used his annual State of the Union address to set his agenda for 2015. “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information,” he said.
Obama’s comments come amidst tangible action in Washington. In the closing weeks of 2014, Congress passed several pieces of cybersecurity legislation, including the National Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Cybersecurity Enhancement Act of 2014, and the Cybersecurity Workforce Assessment Act of 2014; this legislation will strengthen the ability of the public and private sectors to work together in preventing future cybersecurity breaches while also developing a more robust cybersecurity workforce. Furthermore, Obama has planned a White House Cybersecurity Summit at Stanford University on February 13, which will provide an opportunity to develop further public-private sector collaboration and to explore cybersecurity best practices and technologies.
The legislation Obama referred to in his State of the Union address remains to be acted upon by a partisan Congress. The goals, however, are threefold: to encourage the private sector to share cyber threat information with the government through the use of liability protection for companies that adhere to consumer privacy protections; to strengthen the government’s ability to combat cybercrime by prosecuting the sale of botnets and criminalizing the sale of stolen financial information abroad; and to create a national standard for how and when companies report security breaches to the public.
Although cybersecurity experts are encouraged by Washington’s newfound urgency surrounding online privacy and security, many doubt politicians will be effective in creating a climate that will truly protect the public. Increased sharing of information with the government assumes the government is a safe and secure place for information, which continues to beg blind trust and insecurity of consumers. Congress is tasked with reauthorizing parts of the Patriot Act by June 1, 2015. Until the American public knows the extent to which the National Security Agency (NSA) is authorized to conduct surveillance, it should be hesitant to support the government’s proposed information sharing. Additionally, cybersecurity professionals at companies such as Nexus-Guard and Social-Engineer, Inc. find Obama’s proposed legislation to be “scary as hell,” as it would turn the hacking done in the interest of protecting companies against cyberattacks into a criminal offense.
Obama was wise to refer to cyber-attacks as an “evolving threat” last Tuesday night. However, he failed to recognize that partisan politics, slow-to-pass legislation, and business as usual will simply not keep up with cybersecurity’s evolving threats such that consumers will receive the security they deserve.
In an era in which the United States government is just beginning to grasp the significance of cybersecurity and has yet to produce a workable solution to protecting its citizens’ privacy and security, consumers everywhere need to take their online safety into their own hands. This Data Privacy Day, we urge you to take a look at the National Cyber Security Alliance’s provided resources to keep individuals and businesses secure in an otherwise well-intentioned but uncertain 2015.