Last night was going to be a big mainstream win for cybersecurity. The President was expected to take to the podium guns blazing to talk about cyberwarfare, and security wonks were encouraged to tune in live to hear the President’s big plans for the future.
Instead, they got about 30 seconds of vague talk about how cyber-attacks are definitely bad and that we should fight them. Here is the entirety of what the President said about cybersecurity last night:
No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.
But we are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort.
It was an uncontroversial, save-the-children message that carried no weight and made no promises. At least when he talked about Mars, he gave timelines and named names. Cybersecurity experts weren’t much impressed by the President’s brevity either:
No mention of what we can do to protect ourselves and our private data. No mention of how we’ll codify our future responses to state-level cyber-attacks from countries like Russia, China or North Korea. No mention of embedded systems, the Internet of Things or the growing number of attacks on our basic infrastructure.
That’s not to say the President has no plan. Before the State of the Union, the president unveiled a couple of measures that are mostly just punishments and provisions to deal with attacks that have already happened. For example, legislative letters reveal that part of the plan is for the Department of Justice to beef up and “modernize” outdated and medieval laws like the Computer Fraud and Abuse Act.
As the Electronic Frontier Foundation (EFF) pointed out, the DoJ’s vision of modernization mainly consists of doling out possible three to ten-year prison sentences for “exceeding authorized access,” which could be as lenient as breaking a website’s terms of service or sharing your HBO Go password with your roommate.
The EFF called the new proposal a poor resurrection of the dead bill CISPA—a previous attempt at cybersecurity legislation the EFF says was a “perfect storm” of threats to our privacy. The Department of Homeland Security wants companies to quickly share information with them about cyber-attacks in exchange for immunity, but this asks companies to share private user data with the DHS—a provision in older legislation that got people riled up enough to kill previous attempts at cybersecurity laws.
“Bipartisan cheerleading for cybersecurity aside, there is fierce industry opposition to new security or privacy rules,” Tim Edgar, Obama’s former Privacy Director, wrote for Wired. “Meanwhile, civil liberties and privacy activists think that panic about cyber breaches will lead to surveillance and filtering that would destroy the open Internet in the name of saving it. Accommodating these concerns should not be an impossible task, but in today’s Washington, it has been.”
To be fair, not every part of the President’s plan is either empty or terrible. One proposal is for a federal law that would make companies tell users if they’ve been hacked within 30 days of the hypothetical breach. It’s a bandaid measure, but is much better than leaving those issues to a patchwork assortment of state-level disclosure laws. So that little legal flourish is at least decent.
But what could President Obama have said? First, he could have mentioned that between 2006 and 2013, cyber-attacks on federal IT systems went from 5,503 annual instances to over 61,000, and that no amount of federal spending has stopped that growth so far.
He could have mentioned that this isn’t just the Government’s problem or SONY’s problem—that tens of millions of Americans whose information was stolen during breaches on retails chains like Target and Home Depot. Or that even that when SONY was hacked, it reverberated through the lives of 47,000 Americans whose private information was delivered on a silver platter to the tabloid media in neat Excel spreadsheets.
He could have admitted that the cyber threats are way over the Federal Government’s head, and that according to Politico, Capital Hill staffers themselves think it’s “amazing” that congressional and senatorial staffers haven’t been seriously hacked yet—as far as we know. He could have admitted that any InfoSec wonk worth his salt will tell you that the number one cause of security breaches is human error, laziness and mistakes, and that our best hope for protecting our data is to educate ourselves and be more diligent in taking personal responsibility, while at the same time demanding access to safe tools that do just that.
It’d be nice to know whether the government just isn’t paying attention, or whether they genuinely have no idea what they’re doing.