The White House proposed new cybersecurity legislation Thursday that aimed to protect the country against threats to the national infrastructure and the economy, but it was too small a step, according to IU cybersecurity experts.
Fred Cate, a professor in the Maurer School of Law and the director of the Center for Applied Cybersecurity Research, said cybersecurity attacks are a huge problem in today’s society.
“We live in a data-driven society — almost everything we do generates or uses digital data,” Cate said. “Yet as the president and most everyone else recognizes, those data and the systems that transmit and store them are not secure.”
The proposal focuses on the protection of American citizens, critical infrastructure, government systems and privacy and civil liberties. The legislation includes harsher penalties for cybercriminals and requires the Department of Homeland Security to work with companies in the private sector to identify and address vulnerabilities.
Von Welch, the deputy director of the CACR, thinks the new legislation was a positive step, but not a big enough one.
“My concern is that it isn’t keeping up with advances we’re seeing in cybercrime,” he said.
The administration’s cybersecurity efforts have been focused on new technologies, rather than on creating legal and economic incentives for the private sector to invest in better security, Cate said. This approach hasn’t worked, he said.
“During the past two years we have witnessed massive security breaches involving hundreds of millions of Americans, involving Sony PlayStation, the online marketing firm Epsilon, even the security powerhouse RSA,” Cate said. “According to one study, more than 2,500 companies were victims of one sophisticated cyberattack that exfiltrated proprietary corporate data, and there are thousands of other successful attacks against companies and agencies.”
Cate said that U.S. counterintelligence officials report that 140 foreign intelligence organizations are actively engaged in trying to hack into U.S. government and business networks.
“Without appropriate incentives, industry won’t invest sufficiently in good security,” he said. “It is that simple.”
Welch agrees. Much of what the legislation does is formalize practices already happening, he said.
“For example, federalizing breach notification laws have already been put in place by many states, and explicitly allowing collaboration and information exchange that is already taking place by cybersecurity practitioners.”
Cate and Welch agree that there are some positive parts to the plan. Its focus on critical infrastructure, by mandating core critical infrastructure operators, creates a plan for addressing threats. Having those plans evaluated by third parties is a good step given the importance of critical infrastructure to national security, Welch said.
What’s missing from the plan, Welch said, is a similar push for other parts of the Internet.
“As recent high-profile cases such as Sony and Epsilon have shown, and what seem to be constant problems with privacy on social networking sites, there are other companies operating on the Internet that while perhaps not critical to our national security, still impact millions of people,” he said. “There is nothing in the proposed legislation to really incentivize these companies to improve their cybersecurity and, in turn, our privacy as their users.”
Cate explained how the plan could be improved.
“The plan could include legal requirements for good information security, tax incentives, safe harbor provisions for businesses that try to enhance security even if they fail, liability provisions to allow injured consumers to recover from harms caused by bad security and new enforcement powers and resources for the Federal Trade Commission,” he said.
In addition to calling for new privacy protections, he said the President should appoint the members of the Privacy and Civil Liberties Oversight Board, which Congress created, but the administration has yet to fill.
Cate also said the administration’s plan includes no effort to curtail risky behaviors by businesses themselves.
“The recent discoveries that Google and Apple are both collecting location data on smart phone users and storing that data, unencrypted, in unsecured files suggests that some regulation may be appropriate to protect individuals as well as industry,” he said.
The bottom line? Technology is very important in security, but the administration’s focus on it is only one step towards enhancing information security.
“Technologies are like magic bullets for the government — no matter what the problem, we want to believe that technology can solve it,” Cate said. “Technology alone just isn’t enough — for security or anything else.”
LINK TO OUR HOME PAGE :