Buried among the slew of national issues such as equal pay, immigration reform, climate change and Ebola, President Barack Obama spent a few seconds talking about net neutrality and cybersecurity in his State of the Union speech Tuesday evening. While it's nice to see security on the general agenda, it's still too early to know the government's plans.
The full paragraph from the State of the Union is as follows:
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
Net Neutrality also made an appearance in the State of the Union. It will be interesting to see where the battle for Net Neutrality takes us in 2015:
"I intend to protect a free and open internet, extend its reach to every classroom, and every community, and help folks build the fastest networks, so that the next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world."
For many savvy CISOs and security professionals watching, the short paragraph on cybersecurity lacked substance because there were no details and no policy announcements. Some thought the president would expand on some of the cybersecurity proposals he'd made in the days leading up to the speech. There was no mention of the government's recent comments regarding encryption and surveillance. The fact that cybersecurity was mentioned so briefly was a letdown after a week of hearing about the latest proposals.
On the other hand, the fact that cybersecurity was even mentioned at all shows the government is prepared to act in a meaningful way. “The President’s new emphasis on cybersecurity issues in this year’s State of the Union—coming after recent high profile attacks and before the U.S. transition toward EMV technology later this year—has moved these critical issues front and center on the national stage,” said Stephen W. Orfei, general manager of the PCI Security Standards Council.
Information sharing, protecting kids' information online, and cybercrime. These are all things the industry cares about. The White House has promised to release a revised legislative proposal for the consumer privacy Bill of Rights first touted in 2012. On the surface, it sounds like the government is on the right track.
Will the Ideas be Good Laws?
Security experts and privacy advocates remain concerned over how these ideas would translate into law. Will the liability protection for information sharing improve the kind of data being shared, or just extend the government's surveillance apparatus? Would new laws criminalizing cybercrime actually make a dent when most criminals operate overseas? The Harvard Business Review has an in-depth analysis of some of these questions.
The proposal to update the Computer Fraud and Abuse Act to grant broader law enforcement authority can backfire on security practitioners. Dan Tentler, a prominent computer security researcher on Twitter, told NextWeb that a penetration testing contract telling him to "find weak points" in a client's network can get him in legal trouble if the client ever decides the work was "out of scope."
Independent security researchers may be unwilling to look for bugs in software if the definition of hacking remains broadly defined. Security researcher David Litchfield alone is credited for reporting 11 flaws Oracle is patching this week. Less research, more unfixed bugs. That makes all of us less safe.
Intentionally accessing unauthorized information—such as password dumps and other stolen/intercepted data—could be considered a crime under the proposed law even if the material was on a public site such as Pastebin, wrote Robert Graham of Errata Security. Re-tweeting a link to where the information is stored can be considered "trafficking" in stolen data. Upgrading hacking to a "racketeering" charge means anyone in contact with hackers would make that person a member of a "criminal enterprise" without committing a crime, Graham noted.
“Tonight’s speech signals a renewed focus on cybersecurity and kicks off a year that will be the most transformative year in our industry’s history,” Orfei said. Whether the changes will actually result in better security for networks, data, and users remains to be seen. But at least everyone is talking.