Obama pledges to push cyber security reforms

In his State of the Union address, the US president pledges to urge Congress to pass legislation to improve US cyber security

In his State of the Union address, US president Barack Obama has pledged to urge Congress to pass a raft of legislation aimed improving US cyber security.

In recent days he has outlined several key proposals, but did not make specific mention of any of them or add any details in his speech.

In a speech at the US Federal Trade Commission on 12 January, Obama outlined proposals for a single data breach notification law for all US states that will require companies to alert customers within 30 days of discovering a security breach of customer data.

He also outlined proposals aimed at improving student data protection. The Student Digital Privacy Act is aimed at stopping companies from selling student data to third parties for non-educational purposes.

In other speeches in the run-up to the State of the Union address, Obama outlined proposals on information sharing between private companies and the government, and increased penalties for violations of the Computer Fraud and Abuse Act.

“We’re looking beyond the issues that have consumed us in the past to shape the coming century,” Obama said in his State of the Union address on 20 January.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” he said.

Obama said the US is making sure the government integrates intelligence to combat cyber threats in the same way it has done to combat terrorism.

“And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft and protect our children’s information.

“If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe,” he said.

Obama also pledged to protect “a free and open” internet, extend its reach to every classroom, and every community.

He said he would help build the fastest networks, so that the “next generation of digital innovators and entrepreneurs have the platform to keep reshaping our world”.

Cyber security proposals welcomed

Although Obama’s proposal to toughen up on Computer Fraud and Abuse Act violations has raised concerns among some civil liberties and security experts, his proposals have mostly been well accepted.

Global software industry group, BSA – The Software Alliance, welcomed the policy priorities announced by Obama. 

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids

US president Barack Obama

In his address the president touched on key priorities outlined in BSA’s 2015 Legislative Agenda released last week, including trade, innovation and the digital economy.

“More than ever before there is a clear need for strengthening our nation’s cyber security. We welcome President Obama’s efforts and those of Congress to increase the partnership and collaboration between industry and government,” said Victoria Espinel, president and chief of BSA.

“This approach will allow us to better identify and defend against the increasing number of sophisticated, evolving cyber security threats,” she said.

Marc Gaffan, chief of security firm Incapsula, welcomed Obama’s focus on securing cyberspace from hackers and creating harsher legal penalties for those engaging in malicious activity online.

“Recently, we have watched cyber criminals not only engage in more complex attacks, but also seen the proliferation of hacking guns for hire.

“Creating legislation that clearly states the illegality of selling botnets will combat the exponential growth of malicious bots trolling the internet, which by our own research makes up 30% of all web traffic,” he said.

Gaffan also said there was “great potential” in allowing courts to shut down bots engaged in distributed denial of service (DDoS) attacks and other illegal activity.

“These types of attacks cost businesses an average of $500,000 in damages, and as we saw recently with the Sony hack, organisations under attack are largely helpless in protecting themselves once their network has been breached,” he said.  

Chris Roberts, vice-president public sector at Good Technology, said the company welcomed the focus on improving cyber security by the US, UK, France and Germany.

“It’s our hope that legislation will provide law enforcement and intelligence agencies with the tools to aggressively combat cyber criminals, terrorists and cyber vandals.

“Our hope is that legislation designed to make citizens safer does not weaken law-abiding individuals, companies or organisations' ability to protect themselves and their data from those who wish to exploit it,” he said. 

Digital freedom concerns

However, not all security industry responses were positive. Sean Sullivan, security advisor of F-Secure, predicts that the section 215 and 206 of the US Patriot Act and section 6001 of the Intelligence Reform and Terrorism Prevention Act will be re-authorised before their 1 June 2015 expiration date.

“Post-Snowden, it appeared as though the controversial provisions might lack the political support needed to avoid sunset. But now, we are confident that Washington DC will act to protect itself from 'nation state cyber-terrorism' and will renew them after all. Don't expect reform in 2015. The violation of your digital freedom will continue,” he said.

Read more on IT legislation and regulation