Following on from his proposed national 30 day breach notification law, President Barack Obama has also announced new cyber security legislative proposal.
The President has unveiled the next steps in his plan to defend the nation’s systems, including a new legislative proposal, building on work done in Congress, solving the challenges of information sharing and including revisions to the 2011 legislative proposal on which Congress has yet to take action.
The administration’s updated proposal promotes better cyber security information sharing between the private sector and Government, and enhances collaboration and information sharing amongst the private sector.
Specifically, the proposal encourages the private sector to share appropriate cyber threat information with the Department of Homeland Security’s National Cyber security and Communications Integration Center (NCCIC), which will then share it in as close to real-time as practicable with relevant federal agencies and with private sector-developed and operated Information Sharing and Analysis Organisations.
The Administration’s proposal would also safeguard Americans’ personal privacy by requiring private entities to comply with certain privacy restrictions such as removing unnecessary personal information and taking measures to protect any personal information that must be shared in order to qualify for liability protection.
Recognising that law enforcement must have appropriate tools to investigate, disrupt and prosecute cyber crime, the administration’s proposal contains provisions that would allow for the prosecution of the sale of botnets, would criminalise the overseas sale of stolen US financial information and would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity.
The proposal also modernises the Computer Fraud and Abuse Act by ensuring that “insignificant conduct” does not fall within the scope of the statute, while making clear that it can be used to prosecute insiders who abuse their ability to access information to use it for their own purposes.
Other efforts include a White House Summit on Cyber Security and Consumer Protection on February 13th to bring together major stakeholders on cyber security and consumer financial protection issues. Also, more grants to Historically Black Colleges will be given for cyber security education.
Eric Chiu, president and co-founder of HyTrust, said: “The recent privacy legislation announced by Obama is a good step towards enabling companies to better share information on security threats and ensure that consumers receive consistent privacy notification.
“However, like any legislation, this won’t change how companies act unless there are real consequences and penalties. Also, with breaches happening more frequently and the damage getting bigger – especially when the primary threat is coming from the inside – this legislation will do little to slow down or stop the real threat.”
Steve Hultquist, chief evangelist at RedSeal, said: “The President has increased the focus on cyber security, through a combination of visibility and modernisation of laws to take into account the current understanding of cy
ber crime. This combination underscores the inexorably growing threat of cyber attack, including theft, espionage and sabotage.
“All organisations with networked systems need to deploy such analysis before it’s too late, and the President’s initiatives make clear that the attacks will continue to escalate for the foreseeable future.”
Richard Turner, VP EMEA at FireEye, broadly welcomed the proposals. “Intelligence is a critical component of any proactive security strategy and its distribution can help reduce the number of victims in a given cyber attack,” he said.
“However, to be fully effective, information needs to be contributed to and shared by both the public and private sectors. Crucially, appropriate procedures need to be established for the sharing of intelligence in order to avoid infiltration by threat actor groups.”