In his 2015 State of the Union address, President Obama pushed Congress to enact cyber-security legislation to combat emerging cyber-attacks.
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said in his address. “We are making sure our government integrates intelligence to combat cyber-threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children's information.
“If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe,” he said.
Obama's call to “finally pass” data security legislation, as well a law that would defend entities against cyber-attacks, follows his attempts last week to jump-start the legislative process for a federal data breach statute enforcing a 30-day notification requirement from the discovery of a breach.
Already, Senator Bill Nelson, has announced that he is in the final stages of drafting the Data Security and Breach Notification Act of 2015, which would invoke the 30-day reporting standard, if passed, and prevail over varying state data security and breach notification laws.
Following the late 2014 attack on Sony Pictures Entertainment, Obama has increasingly addressed the need to thwart cyber-attacks against the US. And in early January, he imposed sanctions against North Korea, which the US government has attributed as being responsible for the Sony attacks.
In a Wednesday interview with SCMagazine.com, Amit Yoran, president of RSA, said that “anytime you get the president of the United States talking about cyber-security, it is a statement about the importance of cyber-security on the world stage.
“It plays a critical role in our modern, interconnected, global economy. And it's important that the President spoke to it and speaks to it,” Yoran said. “It is appropriate that it has his attention, and beyond State of the Union, that there's real concern at the senior-most levels of government and at corporations about cyber-security and what folks need to do about it."
In the midst of the White House's appeals for bipartisan cyber-security efforts, privacy advocates at the Electronic Frontier Foundation (EFF) remind the public that IT security should, not only be on lawmakers' agendas, but in such a way that past errors aren't repeated for the sake of introducing legislation.
Last week, for instance, the White House published a legislative proposal (PDF) to amend the Computer Fraud and Abuse Act (CFAA) – a federal anti-hacking law criticised for being outdated and leading to aggressive prosecution against individuals, such as computer programmer and activist Aaron Swartz, who committed suicide in January 2013.
Derek Manky, global security strategist at Fortinet, told SCMagazine.com in a Wednesday interview that “sometimes there can be political complications in seeing these things through,” as it pertains to effective cyber-security legislation.
He added, however, that the attention to improving our cyber-defences and practices, as a nation, in the SOTU address “underscores the importance of cyber-security and that it is on the agenda.”
“I think it's a great thing,” Manky added later. “We can't sweep these things under the rug. We have to put everyone on the same playing field.”
Dwayne Melancon, CTO, Tripwire commented to journalists: ”If the US government were to do one thing in 2015 that would make a significant difference in our cyber-security preparedness it would be to create a standard of due care that would allow companies to objectively evaluate their current cyber-security investments and make strategic decisions about how to improve them.
“The problem is that the expectations of what is ‘enough' cyber-security protection are very vaguely defined. None of the expectations about cyber-security protection are clearly articulated, and few come from an authoritative source. This means that it's difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven't been breached to accurately assess business risks.”