Tripwire security experts comment on the State of the Union address, about the cybersecurity proposals presented by President Obama:
Dwayne Melancon, CTO, Tripwire says: ”If the U.S. government were to do one thing in 2015 that would make a significant difference in our cybersecurity preparedness it would be to create a standard of due care that would allow companies to objectively evaluate their current cybersecurity investments and make strategic decisions about how to improve them. The problem is that the expectations of what is ‘enough’ cybersecurity protection are very vaguely defined. In other words, there is no way for any organization to determine if their investments in cybersecurity will be deemed ‘sufficient’ to protect sensitive business and customer data.
Furthermore, many organizations throw their hands up in frustration because they don’t know where to start, and don’t have cybersecurity expertise of their own. Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions?
None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source. This means that it’s difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven’t been breached to accurately assess business risks.”
Tim Erlin, director of IT risk and security strategy for Tripwire writes: A general comment: Rhetoric is just that, and the cybersecurity industry as a whole should be cautious about Obama's proposals. Until they make their way through the muck and mire of Congress, they remain merely ideas aspiring to become reality. On increased sharing of information: The Federal government speaks with two mouths on the subject of information sharing. While Obama supports sharing of threat intelligence data in order to better respond to and prevent attacks, his intelligence agencies attribute attacks to North Korea with evidence that amounts to 'trust me.' Private companies can't help but wonder what cyber threat indicators are subject to "other provision[s] of law" and won't be shared.
The proposal for breach notification contains a clause providing requirement to notify the Federal government about "security incidents, threats, and vulnerabilities" in specific cases. It remains an open question as to how this information may be processed and further shared as cyber threat indicators to help prevent other breaches. If everyone notifies the government, and the government shares the data, what happens to the burgeoning Threat Intelligence industry?
Information sharing is a long standing cornerstone of US Federal government cybersecurity proposals, but it suffers from the perennial problem that organizations simply want to receive data without sharing. I don’t think we’ve hit the tipping point on sharing just yet.
On breach disclosure laws: A national standard for data breach reporting could make a real impact in the complexity and cost of a breach. Organizations, especially mid-to-small companies, struggle with the complexity of requirements created by nearly 50 different laws. On the whole, while a valuable effort, organizations should pay careful attention to the many exemptions and exceptions throughout Obama's proposal.
There's a section in the proposed legislation that describes how an organization can produce a risk assessment demonstrating that "there is no reasonable risk of harm or fraud" resulting from a breach, which makes them exempt from notification. This seems like a big loophole.
Financial organizations, in some circumstances, have no requirement for notification of a breach if they have a system in place to notify users after fraud has occurred. This should be called the 'no harm, no foul' clause.
Ken Westin, senior security analyst, Tripwire observes: “I feel that Obama missed an opportunity to address concerns of overreach by our own government and corporations when it comes to protecting citizens rights to privacy. He specifically stated in his address that "No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families”. He failed to mention how CISPA will protect citizens' data from our own government and corporations from abuse. Obama’s urging of congress to pass CISPA may be premature, as they are asking Americans and private industry to share more data without establishing guidelines as to what the government can collect in the first place.
It’s unlikely that the proposal will become law in its current form. There are many political and commercial interests that will add their views along the way. While there’s certainly additional motivation with current events, the proposal still has a lot to go through before it’s enacted in a material form.
The spirit of the proposed changes is good and it is good to see cyber security being taken seriously by the government, but the devil is in the details. In order for the new cyber initiatives to work the Obama Administration should open up the conversation with private industry and leverage the expertise of information security experts. There has already been a loss of trust between the government, its citizens and businesses as a result of the Snowden revelations and it would be a mistake to develop any new legislation without involving outside groups and providing a level of transparency to the process. There is already some heartburn with regards to changes to both RICO and Computer Fraud and Abuse Act that makes some security researchers nervous as to what it means for their work and if there is a possibility they and their work could make them targets and what impacts it may have on vulnerability and security research in general.
Many industries have already been sharing information successfully, as in many cases private industry generally has richer threat data than the government, as well as analyst and security research teams that can make sense of the data. Many of these organizations may not want to share their information with the government, or others. It will be interesting to see what data actually gets shared and more importantly how the government plans to share that data, they have usually not had a good record of developing, managing and securing large scale federated systems for information sharing.”