Even before President Obama’s State of the Union address on January 20th, The White House was touting new cybersecurity initiatives that would be mentioned in the address. Indeed, during his speech, President Obama told a nationwide (and worldwide) TV audience, “To stay one step ahead of our adversaries, I have already sent this Congress legislation that will secure our country from the growing danger of cyber-threats.” This is the first time that the topic of cybersecurity has received such high profile political exposure in the State of the Union, and given the increasing sophistication of hackers, it likely won’t be the last. Cybersecurity is now an integral component of national security. (The complete State of the Union address is available at www.whitehouse.gov/sotu.)
The legislative proposal that the President had already sent to Congress was outlined in a press release on January 13th. It included three main components:
- Enabling Cybersecurity Information Sharing – to foster collaboration between private and public sectors on cybersecurity, as well as enhance some privacy aspects of consumer data collection and usage.
- Modernizing Law Enforcement Authorities to Combat Cyber Crime – to bolster efforts to find, disrupt, and prosecute hackers.
- National Data Breach Reporting – to put in place national requirements for disclosing data breaches to employees and customers.
In addition, the Obama administration is clearly committed to keeping cyber-security on the front burner, with a Summit on Cybersecurity and Consumer Protection to be held at Stanford University on February 13th.
VDC’s opinion is that the legislative proposal, even if it is adopted into law (which isn’t a given in the Republican-controlled Congress), doesn’t go far enough. Perhaps no U.S. law could possibly go far enough, because most hackers operate outside of U.S. territory. Cyberspace isn’t constrained by geographic borders, and some nation-states (including the U.S.) are themselves occasional perpetrators.
In our view, true cybersecurity will require improved technology to reduce cyber-vulnerabilities, as well as international treaties or agreements that dramatically improve abilities to find, thwart, and prosecute hackers worldwide. The White House has already announced the first such agreement with the United Kingdom. We have no doubt that other U.S. allies, such as in the European Union, will follow suit. But the real challenge will be gaining participation from rogue nations or others which are not U.S. allies. Russia and Eastern Europe appear to be the sources of many organized hacker groups. Russia, now suffering economically with low oil prices and U.S. and E.U. sanctions over its invasion of Crimea, isn’t likely to cooperate any time soon. Don't expect North Korea to pitch in during the lifetime of Kim Jong-un (irrespective of whether or not that country was behind the massive Sony Pictures breach of 2014). And China may espouse cooperation while practicing coopetition.
In short, we’re not holding our breath for a worldwide cybersecurity group hug.
For now, our advice to The White House is to start by cleaning up the security of its own website. When we pointed our browser to www.whitehouse.gov the morning after the State of the Union address, up popped the error message, “Internet Explorer blocked this website from displaying content with security certificate errors.” (See screen shot below.) A facepalm is in order.