White House cybersecurity plan falls short, IU expert says

May 16, 2011, Indiana University

The Obama Administration outlined what it called sweeping cybersecurity legislation Thursday (May 12), but the proposed new law still provides few incentives, and even fewer legal requirements, for the private sector to provide appropriate security for sensitive personal information, according to an Indiana University cybersecurity expert.

Fred H. Cate, director of the Center for Applied Cybersecurity Research and Distinguished Professor at the Maurer School of Law, said Thursday's announcement from the again focuses on new technologies and collaboration, rather than the creation of legal and for private businesses and organizations to better protect their data. In the wake of massive at companies like Epsilon and Sony, it's clear those businesses and organizations aren't doing their part, he said.

"Since taking office, the Obama Administration has recognized that cybersecurity poses a severe threat to the government, industry, and individuals," Cate said. "But the president has consistently refused to provide legal incentives for industry to invest in good ."

The president himself noted nearly two years ago that "the vast majority of our critical information infrastructure in the United States is owned and operated by the private sector." While seeking technologically driven solutions, the Obama Administration has neglected the one tool that most cybersecurity experts agree would have the most impact, Cate said, and that is new law. Requiring businesses to take more responsibility for their data would be a significant step, but one have been reluctant to take.

"The administration's 'hands-off' approach to cybersecurity thus far hasn't worked," Cate said. "Without appropriate incentives, industry won't invest sufficiently in good security. It really is that simple. Remember, despite possessing sensitive personal information on more than 100 million users of its Network, Sony didn't even have a chief information security officer until a hacker infiltrated their network."

The plan released Thursday by the White House includes tools already being widely used. It clarifies for private industry that it can ask for help from the federal government when dealing with cyberattacks and puts into place a federal breach notification law -- two things, Cate said, that are already taking place.

"The outline of the proposed law completely ignores the fact that there is a growing recognition that the hardest issues in cybersecurity are not technical, but rather legal, behavioral, and organizational," Cate said. "The continuing focus on technology misses the point that we know how to build very successful mousetraps; we just so far haven't proved very good at getting people to invest in and use them."

Cate noted the irony in the president's proposal to subject federal cybersecurity efforts to review for their impact on privacy and other civil liberties.

"The law already requires this, and provides the agency -- the Privacy and Civil Liberties Oversight Board -- to conduct the review," Cate said. "But more than two years into his administration, the president has failed to nominate the members of that board."

Though he commended the president for saying cybersecurity is one of his administration's top priorities, Cate said it will take far more than what has been shown in President Obama's first two years.

"Improving cybersecurity is a huge, but vital, task," he said. "It is a process, not an end. It is a fight we may never win, but we don't stand a chance if we don't bring our laws up to date."

Explore further: Expert: Obama's cybersecurity response disappointing in scope

Related Stories

Is danger of identity theft overblown?

May 23, 2006

The announcement yesterday about the loss of personal electronic data on up to 26.5 million veterans is the latest in a string of similar reports about information security breaches at major institutions in the last two years. ...

White House set to unveil cyber plan

May 12, 2011

The White House on Thursday is expected to unveil its proposal to enhance the nation's cybersecurity, laying out plans to require industry to better protect systems that run critical infrastructure like the electrical grid, ...

White House unveils cybersecurity plan

May 12, 2011

Companies that run critical U.S. industries such as power plants would get government incentives to make sure their systems are secure from computer-based attacks, the White House said Thursday, detailing its broad proposal ...

Recommended for you

Pushing lithium ion batteries to the next performance level

December 13, 2018

Conventional lithium ion batteries, such as those widely used in smartphones and notebooks, have reached performance limits. Materials chemist Freddy Kleitz from the Faculty of Chemistry of the University of Vienna and international ...

Uber filed paperwork for IPO: report

December 8, 2018

Ride-share company Uber quietly filed paperwork this week for its initial public offering, the Wall Street Journal reported late Friday.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.