If cybersecurity wasn’t already on the minds of Americans before last Tuesday—it is now. In President Obama’s State of the Union address, he challenged Congress to pass legislation to ward off cyber-attacks that “shut down our networks, steal our trade secrets, [and] invade the privacy of American families.”
This year may be the year lawmakers pass cybersecurity legislation. The recent (and massive) Sony hack gained attention from enterprises and consumers around the world and brought the importance of online data protection into the public spotlight.
Cybersecurity Budgets on the Rise
With the amount of breaches this past year, cybersecurity should already be a concern for corporations. Companies need to take precautionary measures to secure and protect consumer and proprietary information. In the past, company leaders may have only thought about this type of protection at occasional board meetings, but they are now forced to examine current protocols in order to avoid a detrimental slip-up.
Does the company have a qualified security person running operations? Does the company devote enough time, money, and resources to protect critical information? These are the types of questions many organizations are asking themselves, and these types of questions are going to lead to an increase in security operations worldwide. Gartner research firm expects information security spending will grow 8% this year.
Obama’s Push for Cybersecurity Legislation
A week before the State of the Union, President Obama made a legislative proposal regarding cybersecurity that covered five points:
- Enable information sharing between the government and private sector: The President proposes finding a way to share cybersecurity information between private sector companies and government entities. This is meant to help the government to predict and combat security issues in advance.
- Modernize law enforcement to fight cyber crimes: The proposal would allow law enforcement agencies to have more advanced tools to investigate and prosecute cyber crimes.
- Data breach reporting: As part of the proposal, businesses would be required to notify customers within 30 days following a breach.
- Cybersecurity education: The proposal would provide $25 million in grants to support cybersecurity education in order to help more individuals meet the demands of the job market and to help more companies hire qualified cybersecurity professionals.
- Criminalize the act of collecting, possessing, or distributing illegally obtained data: The proposal is meant to allow the government to prosecute cyber criminals.
This proposal joins other pieces of legislation from Congress.
Other Proposed Legislation
Cybersecurity threats aren’t a new thing. Congress has been thinking about how to handle these types of attacks for several years, though they still have not found a legislative solution that works for everyone.
The Cyber Intelligence Sharing and Protection Act (CISPA) was first introduced by the House in 2011. The proposed legislation would allow Internet traffic information between government, technology, and manufacturing companies to be shared to help the government investigate threats. The House reintroduced the bill this month and it’s now being reviewed by the Committee on Intelligence to determine if it will go to a vote.
Similar to CISPA, another proposed piece of legislation is the Cybersecurity Information Sharing Act (CISA), which was introduced by the Senate in July 2014. This bill proposes to improve cybersecurity by sharing information and cybersecurity threats.
What Cybersecurity Legislation Could Mean for Companies and the Cybersecurity Industry
Some cybersecurity professionals have expressed concern about the nature of the proposed legislation. For instance, with the updated Computer Fraud and Abuse Act (CFAA) you could wind up in jail for sharing a Netflix password or clicking a link to unauthorized information. It would also bump up the penalty for unauthorized access to computers, systems, or information to a felony charge. This broad approach can inhibit security researchers, whistleblowers, and can trickle down to curious or naïve Internet users.
A senior security architect said, “CSOs already have it in their best interests to do everything they can to reduce breaches, and [Obama’s] proposed legislation… doesn’t add any incentives to further those efforts.”
The Electronic Frontier Foundation has already spoken out about CISPA and CISA, saying that the bills invade privacy and give companies a lot of wiggle room on the legal side of things.
Michal Lev-Ram at Fortune.com interviewed a number of leaders of Fortune 500 companies for reactions to the President’s message. Their responses range widely from agreeing that more information is more power and could prevent attacks to saying that the focus is too much on what happens after an attack. You can read more of their detailed responses here.
Passing a bill could (and probably will) take more time and will come after much more discussion on the topic. What most everyone can agree on, however, is the fact that this brings cybersecurity to the nation’s attention—with more people involved in the conversation, we are more likely to come to a solution that works and keeps America’s companies’ and consumers’ information private.