IT | Security

Obama’s Cyber Security Proposal: A Great First Step, Here’s How to Improve It

By: Absolute Team | 5/19/2011

Last week, the Obama administration laid out its proposal for a new cybersecurity law to Congress. This proposal arrived on the heels of some major data breaches from well-known organizations, including Sony’s Playstation Network, email service provider Epsilon and third-party password manager LastPass. The unfortunate outcome is that millions of consumers have had their personal information leaked, and the organizations at fault face serious blows to both their reputation and business.

As data breaches become more of a widespread problem, the call for government intervention has grown louder. This has prompted the Obama administration to send the Cybersecurity Legislative Proposal to Congress. This proposal is an important first step in assuring that the number of data breaches drop, an important issue as the number of breaches in the United States is at an all-time high.

In an effort to prevent and decrease the overall number of breaches in the US, the Obama administration has proposed that:

  1. Companies who tell the Department of Homeland Security (DHS) of an ongoing attack can receive help from the federal government and not face penalties. This allows for more sharing of information, while also providing federal help to stop the breach quickly
  2. Penalties would be increased for those caught creating the hacks, setting mandatory minimum sentences of at least 3 years
  3. Critical infrastructure organizations will have to undergo audits of their IT infrastructure. Some of this information could be made public, but the proposal is unclear on which “critical infrastructure” organizations would be included
  4. The law would create national cybersecuity guidelines, creating universal policies for all organizations to follow

Currently, in the United States, cybersecurity regulations deal mostly with state law. For example, 47 states require companies to report breaches to customers; therefore, in three states companies do not need to report. This can add confusion on when to report and how much to report. This proposed law would add a clear, straightforward way for all organizations to respond to breaches, no matter where they conduct business in the U.S. That’s a much-needed clarification, which businesses and consumers will surely appreciate.

But while this proposal is a great first step in legislating cybersecurity, it does little to enforce preventative measures. Instead, the law outlines ways that the government can punish those who create the breach and companies that fail to report that their network has been breached. However, companies won’t suffer financially if their policy isn’t up to snuff – a major criticism of the proposed law.

Calling on organizations to implement multi-layered security policies will help to assure these data breaches drop from those all-time highs. We’ve seen this ourselves with our customers. Enterprises who know exactly what to do when a breach occurs are better prepared to protect consumers both before and after a data breach.

We encourage lawmakers to strongly consider the steps that can be put in place to hold companies accountable for their IT security policies – making sure that every policy includes training, management of the network and step-by-step data breach reporting procedures. And most importantly - regardless of if these actions are put into law - IT managers should not wait to conduct reviews of all internal cyber security policies, making sure their companies are protected against breaches now.