The President’s State of The Union address Tuesday night addressed Information Security for the second time in three years.
Two years ago, in 112 words, the President announced the NIST Framework, increased information sharing through executive action, and called for the nation to “face the rapidly growing threat from cyber-attacks.” The threat then was theft of corporate secrets and “real threats to our security and our economy.” These actions stemmed from a series of nation-state threats–epitomized by attacks on Google–and ongoing attacks against a range of companies and technologies.
In 2014, we have different priorities, with a significant breach at Target and an advancing NIST Framework, and the president spent a few words to acknowledge the need to “combat new threats like cyberattacks.”
This year, after breach notifications and revelations arguably making the past year the least secure in history, the President put some Information Security beads on an Infrastructure thread. Starting with our development of the Internet, he stated the need for the fastest Internet service (ours is among the slowest and most expensive of industrialized nations), and linked that to the need for a “free and open Internet…so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world.”
He asked again for Congress to “pass the legislation we need to better meet the evolving threat of cyber-attacks,” and protect our identities and information. He specifically called out the threat of cyber attackers shutting down our national services and infrastructure. Concluding his infosec-related remarks, the President noted ongoing work on privacy in surveillance activities and a report coming out next month on enhancing safety while strengthening privacy.
The President’s call for action is important, and requires the involvement of the Information Security Community. Against the backdrop of probably the most attacks in history, ongoing revelations about cyber-attack capabilities, potential surveillance overreach, an ongoing cyber attack against Sony, and continuing revelations of breaches in retailer after retailer, the direction and details of proposed legislation matters. The direction is good, we need legislation, action and details to make sure the state of Information Security advances and improves. The wrong details could derail US leadership in Information Security and the concomitant jobs, companies, and infrastructure.
The community discussion of details breaks down across four major categories – Information Sharing, Legal Authority and Law Enforcement, Research, and Privacy. Missing from much of the discussion is a prescription and requirements for security. In a series of posts we’ll discuss each of these five areas in more detail. Here’s a quick summary of issues:
- Information Sharing – Lawyers, companies, and executives have differing views on the need for protections about liability from sharing information.
- Legal Authority and Law Enforcement – There are differing views on whether CFAA needs to be expanded, curtailed, refined, or recreated.
- Research – the legality of current legal and ethical forms of research appears to be threatened by some of the proposed changes.
- Privacy – commentary in the US and UK against encryption and the assurance of privacy appears to leave people with reduced security tools to protect their privacy.
- Prescriptive requirements – there is little discussion of requiring companies to meet security standards.
The Infosec Community needs more tools–information sharing, research, legislation, and technology to provide our clients and customers the security needed to enable growing business and new business models. The direction is right, but the details matter. Let's work toward helping our government partners getting the details right.