Now that the annual State of the Union address has been given, I thought it would be interesting to hear what some cybersecurity experts have to say about the President’s data security and privacy initiatives. I admit I was disappointed that little depth or explanation was provided about the initiatives that generated so much news in the days before. Instead, we heard just a passing comment or two stating that hackers shouldn’t be able to take down our networks and that Congress needs to pass legislation regarding cybersecurity and protecting citizens from potential identity theft. Sadly, I think that by not going into specifics, the country lost a great opportunity to really discuss the importance of improved cybersecurity.
However, cybersecurity has been brought to our attention and there is finally recognition of the damage that can be caused. And, as Marc Gaffan, CEO of Incapsula, told me in an email, this discussion is coming at a time when criminal activities are more complex and the bad guys are using more lucrative tactics:
Creating legislation that clearly states the illegality of selling botnets will combat the exponential growth of malicious bots trolling the Internet, which by our own research makes up 30 percent of all Web traffic. We also see great potential in allowing courts to shut down bots engaged in DDoS attacks and other illegal activity. These types of attacks cost businesses an average of $500,000 in damages, and as we saw recently with the Sony hack, organizations under attack are largely helpless in protecting themselves once their network has been breached.
One of the more important pieces of the cybersecurity initiative is the Personal Data Notification & Protection Act, which will create a federal standard for customer notification deadlines after a company suffers a data breach. It’s an important step, since the system now is so patchworked together and there seems to be no consensus about how notification laws work across state lines. But it isn’t perfect, as Stephen Cobb, senior security researcher at ESET, said in a statement:
As proposed, the law does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. That leaves the 60-day notification deadline in place.
Jeff Williams, CTO of Contrast Security, also pointed out that this particular initiative ignores a lot of important security risks:
Obama’s proposal doesn’t cover the vast majority of breaches. Most break ins do not involve disclosing credit card numbers, social security numbers, or other PII. We need to know about ALL breaches. I was very surprised about the reaction to the Goldman breach several months ago. Everyone focused on the personal information, but ignored the fact that the attackers took control of NINETY servers. Goldman lost control of a significant amount of their infrastructure, undermining the integrity of their business. But under Obama’s new rule, they wouldn’t have had to disclose this breach if no personal information was stolen.
So, it seems to me that while security experts are pleased that cybersecurity has finally come up for serious discussion, there is very cautious optimism and a feeling that we still have a long way to go before truly addressing cybersecurity threats as a whole.
But at least it is a start, and that’s something.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba