The Obama Administration outlined what it called sweeping cybersecurity legislation Thursday (May 12), but the proposed new law still provides few incentives, and even fewer legal requirements, for the private sector to provide appropriate security for sensitive personal information, according to an Indiana University cybersecurity expert.
Fred H. Cate, director of the Center for Applied Cybersecurity Research and Distinguished Professor at the Maurer School of Law, said Thursday's announcement from the White House again focuses on new technologies and collaboration, rather than the creation of legal and economic incentives for private businesses and organizations to better protect their data. In the wake of massive data breaches at companies like Epsilon and Sony, it's clear those businesses and organizations aren't doing their part, he said.
"Since taking office, the Obama Administration has recognized that cybersecurity poses a severe threat to the government, industry, and individuals," Cate said. "But the president has consistently refused to provide legal incentives for industry to invest in good information security."
The president himself noted nearly two years ago that "the vast majority of our critical information infrastructure in the United States is owned and operated by the private sector." While seeking technologically driven solutions, the Obama Administration has neglected the one tool that most cybersecurity experts agree would have the most impact, Cate said, and that is new law. Requiring private sector businesses to take more responsibility for their data would be a significant step, but one lawmakers have been reluctant to take.
"The administration's 'hands-off' approach to cybersecurity thus far hasn't worked," Cate said. "Without appropriate incentives, industry won't invest sufficiently in good security. It really is that simple. Remember, despite possessing sensitive personal information on more than 100 million users of its PlayStation Network, Sony didn't even have a chief information security officer until a hacker infiltrated their network."
The plan released Thursday by the White House includes tools already being widely used. It clarifies for private industry that it can ask for help from the federal government when dealing with cyberattacks and puts into place a federal breach notification law -- two things, Cate said, that are already taking place.
"The outline of the proposed law completely ignores the fact that there is a growing recognition that the hardest issues in cybersecurity are not technical, but rather legal, behavioral, and organizational," Cate said. "The continuing focus on technology misses the point that we know how to build very successful mousetraps; we just so far haven't proved very good at getting people to invest in and use them."
Cate noted the irony in the president's proposal to subject federal cybersecurity efforts to review for their impact on privacy and other civil liberties.
"The law already requires this, and provides the agency -- the Privacy and Civil Liberties Oversight Board -- to conduct the review," Cate said. "But more than two years into his administration, the president has failed to nominate the members of that board."
Though he commended the president for saying cybersecurity is one of his administration's top priorities, Cate said it will take far more than what has been shown in President Obama's first two years.
"Improving cybersecurity is a huge, but vital, task," he said. "It is a process, not an end. It is a fight we may never win, but we don't stand a chance if we don't bring our laws up to date."
Explore further: Expert: Obama's cybersecurity response disappointing in scope