Against the backdrop of a seemingly never-ending spate of data breaches, the White House made a renewed push this week for better cybersecurity legislation, asking the new Congress to consider a comprehensive measure that addresses three major buckets of concern, including the Personal Data Notification and Protection Act (PDNPA), which would be the first federal standard for data breach notification. The proposal also addresses modernizing law enforcement to better combat cybercrime, and increased cybersecurity information sharing.
President Obama unveiled the plan in a speech at the Federal Trade Commission, which was initially met with enthusiasm, followed by (some would say inevitably) the raising of concerns around its various parts—concerns that are sure to blossom into full-blown public and political debate.
Addressing Data Breaches
Many have called for tougher reform and regulation around breach notification laws in the wake of the Target and Home Depot breaches, the Apple (News - Alert) iCloud celebrity photo hack, and of course, Sony Pictures breach. Even frequent flier accounts aren’t immune from hacker interest: this week we learned that thieves with stolen usernames and passwords broke into customer accounts at both American Airlines and United Airlines, booking trips using peoples’ mileage accounts.
The problem is that in many cases, affected consumers don’t find out that they may have been a victim of these attacks until many weeks if not months after the breach occurs. Companies often carry out their own forensics investigations and examine their liability exposure before “going public” with an incident—while hackers are meanwhile having a field day with victims’ personal information or credit card data.
The PDNPA would help protect consumers by requiring companies to inform customers within 30 days of discovery that their personal information may have been exposed to hackers. It’s a proposal that would offer a federal overlay to what is now a patchwork of notification measures. Some are state-level, like California’s, which requires data breach notification but does not specify a timeframe; and some are vertically-focused, like the Department of Health and Human Services rule that HIPAA-covered entities must report incidents (again, without a timeframe).
Notification is Not Enough
What the PDNPA does not so far specify is what, if any, penalties would be associated with violating the law.
“Like any legislation, this won't change how companies act unless there are real consequences and penalties,” said Eric Chiu, president and co-founder at HyTrust. “Also, with breaches happening more frequently and the damage getting bigger — especially when the primary threat is coming from the inside — this legislation will do little to slow down or stop the real threat. Ultimately, companies need to stop viewing security as an insurance plan; instead, they need to think of security as a part of doing business. Until that happens, we will continue to see these breaches take place.”
The President's focus here is clearly on making sure that breaches are publicized—and this, in turn, should create additional pressure for organizations to make a greater effort to avoid breaches rather than simply respond to them. Consumer awareness has been shown to create real consequences: Target (News - Alert) lost several executives in the wake of its massive breach, including the CEO.
But while the notification piece is an important part of the data breach phenomenon, some slammed the White House for not addressing prevention as well.
“We would prefer to see a greater emphasis placed on preventing breaches and fraud rather than just informing the victims faster,” said John Gunn, vice president of corporate communications at VASCO Data Security.
He also said that regulation could be effective here—all too often, companies don’t have appropriate security measures in place. “In other industries, such as air travel and food safety, regulations are effective in averting tragedies instead of just making sure they are properly reported,” he said.
But regulatory frameworks too are problematic, noted Mark Bower, vice president of product management at Voltage Security (News - Alert). Prevention requirements would have to be nimble and flexible enough to account for the rapid pace of innovation in the threat landscape.
“If this legislation is to be effective to encourage wholesale adoption, it must be aligned to modern innovations and methods with built-in agility in enabling an effective data-security defense strategy,” he said. “Today’s attackers are agile innovators too and nobody wants to be compliant to regulations, at great cost, but still be a sitting duck in the line of sight of their next new attack.”
It’s clear that the devil is in the details here, and we can expect long weeks and months of debate on how to implement data breach legislation.
Information-Sharing Enhancements and Cracking Down on Hacking
Meanwhile, the White House would like to see increased sharing of information on cyber-threats from the private sector, with protection from liability. Those indicators of cyberthreats would immediately be shared with other government agencies like the DHS, FBI, NSA, and Secret Service, as well as private-sector information sharing and analysis organizations (ISAOs) and centers (ISACs).
Overall, the package “promotes better cybersecurity information sharing between the private sector and government, and it enhances collaboration and information sharing amongst the private sector,” according to a White House statement.
Of course, some say that the measure doesn’t go far enough.
“Fighting a cyber-war – even a defensive one – requires the same three disciplines as a regular battle: you have to understand the terrain you’re fighting on, your own forces, and the movements of the enemy,” said Mike Lloyd, CTO at RedSeal. “The President’s proposal engages with the last of these problems – we need to share information, because no one defender can see what is going on, or which techniques are being used to attack other organizations, etc. This is a good step, but is not enough. If organizations hope to benefit from timely intelligence information, they will need to understand their own defensive posture and readiness.”
Both chambers of Congress have addressed information sharing legislation in the last year, but the bills failed to become law.
Meanwhile, the proposal would also make amendments to the Computer Fraud and Abuse Act (CFAA), including criminalizing the sale of stolen financial data. The amendments come with stiffer penalties for those convicted of hacking, with some sentences doubled and some offenses elevated to felonies.
Also, and this is significant--Obama proposes upgrading hacking to a “racketeering” offense, which traditionally carries up to a 20-year sentence (for mobsters). Under the Racketeering Influenced and Corrupt Organizations Act (RICO), the FBI is allowed to arrest and investigate suspects without charging for a specific crime—and to prosecute them for having mere associations with organized crime.
Classifying cybercrime as a form of mob activity actually makes a lot of sense—most cybercrime is carried out by organized crime cabals, often based in Russia and other parts of Eastern Europe. Hacking has become the new face of international financial crime. And, they’re quite powerful.
“When the mechanics of the economy can be manipulated and gamed by attackers from adversarial nation states and crime rings, action, not words, are needed to change the balance in asymmetric cyber-warfare in the US’s favor,” Voltage’s Bower said. “Despite the best prepared organizations using traditional IT defenses and controls, 2014 saw targeted attacks obliterate them and the nation witnessed theft of unprecedented volumes of private data with tremendous economic damage. Firms were held to ransom with threats of data exposure, and consumers were exposed and their lives and trust disrupted.”
Not everyone agrees, of course—with the hacking provisions, or even the data breach act. And clearly, much public debate is ahead, on all of this.
“Along with its Hacking Prohibition law, Obama is also proposing a massive Internet Surveillance law,” wrote Rob Graham, a columnist with Wired. “Companies currently monitor their networks, using cybersecurity products like firewalls, IPSs, and anti-virus. Obama wants to strong-arm companies into sharing that information with the government, creating a virtualized or ‘cloud’ surveillance system.”