Obama State Of The Union Pushes Cybersecurity Legislation

President Barack Obama made cybersecurity legislation a key priority in his State of the Union address Tuesday, urging Congress to make a bipartisan effort to address data security, the stability of the nation’s critical infrastructure and its ability to defend against a major cyberattack.

In his sixth State of the Union Address, Obama advocated legislation that fosters threat intelligence sharing by offering liability protection for security vendors and other organizations that collect sensitive threat information if the data can be made anonymous. Obama’s proposal would set up a voluntary system to collect the data overseen by the Department of Homeland Security's National Cybersecurity and Communications Integration Center. The legislation is similar to previous proposals, but the Obama administration said it believes it has taken additional steps to address privacy concerns.

"If we don't act, we'll leave our nation and our economy vulnerable," Obama said. "If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."

/**/ /**/

/**/ brightcove.createExperiences(); /**/

Sponsored post

[Related Video: How Serious Are We About Cybersecurity?]

Other Obama administration cybersecurity reforms include giving the Justice Department the ability to prosecute the criminals behind botnets designed to spread malware and conduct attack campaigns that drain bank accounts and steal account credentials and other sensitive information.

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids," Obama said. "So we're making sure our government integrates intelligence to combat cyberthreats, just as we have done to combat terrorism."

The Obama administration also is addressing the lack of federal data breach notification rules. In an earlier speech at the Federal Trade Commission this month, Obama called for a 30-day notification requirement when a company learns of a data breach. The Personal Data Notification & Protection Act also criminalizes illicit overseas trading or selling of stolen identity data, giving law enforcement the broader ability to seek extradition of foreign cybercriminals to face justice.

Obama's proposals have the backing of the Chamber of Commerce and National Retail Federation, but privacy advocates warn that offering liability protection to companies could expose the personal information of Americans and give private companies the ability to conduct a level of surveillance on consumers. Policy experts aren't optimistic that any legislative proposals will pass the Republican-controlled House and Senate and say the gridlock in Washington is likely to continue until the 2016 election.

In 2013 Obama authorized an executive order establishing guidelines for critical infrastructure protection. The result of that order was the National Institute of Standards and Technology Cybersecurity Framework, which set up voluntary minimum security guidelines for critical infrastructure protection. The Department of Homeland Security also has established a threat intelligence exchange with key managed security services providers.

Solution providers say any legislation would not likely have any immediate impact on the security industry. Private sector security researchers already work alongside federal officials during data breach investigations. The attention drawn to the issue could get organizations to assess their current security preparedness and consider investing in additional technology or services.

The recent spate of high-profile data breaches helped foster awareness at the highest levels of organizations, said John Wondolowski, CTO of Mill Valley, Calif.-based Chouinard & Myhre, a security solution provider. IT budgets are being shifted to address enterprise security, but it is being done very judiciously, taking into account the organization's risk tolerance and security technology that has already been put in place.

"Up until this point it has been rare for us to be in a company where the visibility of its security is at the board level," Wondolowski said. "The board is now asking whether the Target or Sony breach could happen to them."

The retail industry, for its part, is now working to modernize payment terminals to accept chip-based credit card payments with incentives aimed at getting terminals more widely deployed by the end of the year. The long line of retail data breaches have prompted Obama to issue a an executive order on payment fraud, forcing federal agencies to purchase modern payment terminals that support chip-embedded credit cards designed to thwart fraud at brick-and-mortar stores. The order also requires agencies that accept online payments to protect personally identifiable information using multifactor authentication and establish effective identity proofing to protect privacy.