State of the Union Thoughts

As I watched the State of the Union speech, I waited for almost an hour to hear the President mention some of the cybersecurity initiatives that were released last week to titillate government, businesses and consumers to believing that, for once, cybersecurity was going to be taken seriously as a substantiated threat to our economic future.

When the news was released almost two weeks ago about some of these “critical” cybersecurity initiatives, not many in the cybersecurity realm were impressed. Most of what was mentioned — the 30 day breach notification, release of FICO scores, legislation about cybersecurity sharing, criminalizing the sale of Personally Identifiable Information (PII), would not do much to secure the critical data that businesses and consumers need to protect. Still, these ideas are an improvement, but not one of these initiatives were mentioned last night.

To Mr. Obama’s credit, he now understands that cybersecurity attacks are a danger to the U.S economy and is the first President to mention them in a SOTU address. However, as we know, the difference between talking and taking necessary action is a large one and will require levels of bi-partisan support not usually seen in today’s politics. Fortunately, most members of Congress realize this and, with some of the legislation on the books, the most recent being the Cyber Information Sharing Act of 2014 (which made it out of committee but did not make it to a floor vote), the support is there. With the impact of recent hacks on businesses culminating in their mention in last night’s address, it is certain that this will be taken up first by Congress.

But the devil is in the details. While making talking points for the middle class with phrases like “hackers cannot invade the privacy of families, especially our children,” and “we will pass legislation to combat ID thef…,” it is also intellectually dishonest to infer that the government can prevent hacking, through any means, against corporations or private citizens. If the government used the legal, military, political and economic capabilities collectively, it might diminish the national threat, but to infer that the government can protect every citizen and company is to provide false hope.

But it is Mr. Obama’s mentioning of passing legislation to combat ID theft amongst other grand objectives that should concern the American citizen and business owner most. The issue of legislating cybersecurity is the one area that will have the most significant impact on all the stakeholders in cybersecurity: the government, large businesses, small and mid-size businesses (SMB) and the consumer. The very aspects that this legislation must address: integration of intelligence; sharing of hacking data and individual information; indemnification of participating companies; privacy of corporate and personal information; increasing the ability of law enforcement to investigate and prosecute cyber criminals; the potential for another government bureaucracy; and more mandates posing critical challenges to the development of a well thought out bill.

As proven by previous attempts to pass legislation, whether its cybersecurity, health care, or finance, bills rushed through Congress in the heat of the moment are rarely thought through and carry significant risks that they will not cure the problems they were intended to address. Much careful thought on the part of Congress, businesses of all sizes, the cybersecurity environment academia, law enforcement and more importantly the American citizen should be conducted before a draft measure is even proposed.

While cybersecurity seems to be a hot topic, the administration and well-intentioned Congressmen should take their time in pushing through legislation and bills in order to earn the respect of all stakeholders in cybersecurity. While there is no doubt that Mr. Obama’s initiatives are a good start, care should be taken to ensure that cybersecurity threats are addressed, but not at the expense of entangling corporations in government regulations and endangering the privacy of all American citizens.