White House cybersecurity plan falls short, IU expert says

May 16, 2011

The Obama Administration outlined what it called sweeping cybersecurity legislation Thursday (May 12), but the proposed new law still provides few incentives, and even fewer legal requirements, for the private sector to provide appropriate security for sensitive personal information, according to an Indiana University cybersecurity expert.

Fred H. Cate, director of the Center for Applied Cybersecurity Research and Distinguished Professor at the Maurer School of Law, said Thursday's announcement from the again focuses on new technologies and collaboration, rather than the creation of legal and for private businesses and organizations to better protect their data. In the wake of massive at companies like Epsilon and Sony, it's clear those businesses and organizations aren't doing their part, he said.

"Since taking office, the Obama Administration has recognized that cybersecurity poses a severe threat to the government, industry, and individuals," Cate said. "But the president has consistently refused to provide legal incentives for industry to invest in good ."

The president himself noted nearly two years ago that "the vast majority of our critical information infrastructure in the United States is owned and operated by the private sector." While seeking technologically driven solutions, the Obama Administration has neglected the one tool that most cybersecurity experts agree would have the most impact, Cate said, and that is new law. Requiring businesses to take more responsibility for their data would be a significant step, but one have been reluctant to take.

"The administration's 'hands-off' approach to cybersecurity thus far hasn't worked," Cate said. "Without appropriate incentives, industry won't invest sufficiently in good security. It really is that simple. Remember, despite possessing sensitive personal information on more than 100 million users of its Network, Sony didn't even have a chief information security officer until a hacker infiltrated their network."

The plan released Thursday by the White House includes tools already being widely used. It clarifies for private industry that it can ask for help from the federal government when dealing with cyberattacks and puts into place a federal breach notification law -- two things, Cate said, that are already taking place.

"The outline of the proposed law completely ignores the fact that there is a growing recognition that the hardest issues in cybersecurity are not technical, but rather legal, behavioral, and organizational," Cate said. "The continuing focus on technology misses the point that we know how to build very successful mousetraps; we just so far haven't proved very good at getting people to invest in and use them."

Cate noted the irony in the president's proposal to subject federal cybersecurity efforts to review for their impact on privacy and other civil liberties.

"The law already requires this, and provides the agency -- the Privacy and Civil Liberties Oversight Board -- to conduct the review," Cate said. "But more than two years into his administration, the president has failed to nominate the members of that board."

Though he commended the president for saying cybersecurity is one of his administration's top priorities, Cate said it will take far more than what has been shown in President Obama's first two years.

"Improving cybersecurity is a huge, but vital, task," he said. "It is a process, not an end. It is a fight we may never win, but we don't stand a chance if we don't bring our laws up to date."

Explore further: Second apparent leak of hacked celebrity nude pictures: US media

add to favorites email to friend print save as pdf

Related Stories

Is danger of identity theft overblown?

May 23, 2006

The announcement yesterday about the loss of personal electronic data on up to 26.5 million veterans is the latest in a string of similar reports about information security breaches at major institutions in the last two year ...

White House set to unveil cyber plan

May 12, 2011

The White House on Thursday is expected to unveil its proposal to enhance the nation's cybersecurity, laying out plans to require industry to better protect systems that run critical infrastructure like the electrical grid, ...

White House unveils cybersecurity plan

May 12, 2011

Companies that run critical U.S. industries such as power plants would get government incentives to make sure their systems are secure from computer-based attacks, the White House said Thursday, detailing its broad proposal to beef up the country's cybersecurity. ...

Recommended for you

Facebook dressed down over 'real names' policy

Sep 17, 2014

Facebook says it temporarily restored hundreds of deleted profiles of self-described drag queens and others, but declined to change a policy requiring account holders to use their real names rather than drag names such as ...

User comments : 0