Post State of the Union, reaction to proposed legislation remains mixed

Insiders and experts say that more work is needed

President Obama
Pete Souza

While most agree that it is generally a good thing that Congress and the Obama administration are prioritizing cybersecurity, those in the industry feel their efforts so far are a mixed bag of both good and bad.

However, while the bad seems to outweigh the good, those working behind the scenes urge hackers and InfoSec professionals simmer down and look for ways to help make the positive changes that are needed.

On Tuesday, during the State of the Union address, President Obama said that no foreign nation, no hacker, "should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids."

"But we are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort."

After days of hype and punditry, security earned a single paragraph in the President's speech. That's no small thing, but given the fears and concerns, as well as predictions that the speech would focus on the topic more, some experts felt it was a bit of a letdown.

"There seems to be a few things the Government and security community can agree on; for example, I think we agree that there needs to be more collaboration and transparency, and a stronger focus on preventing cyberattacks. Creating consistency for data breach notification is also a sensible measure," commented Jen Ellis, Senior Director of Public Affairs at Rapid7.

President Obama urged congress to develop federal mandates on security standards, including increased information sharing between the private sector and the government, yet – the proposal itself lacked in-depth focus on prevention and left several questions unanswered.

"The President's cyber security proposals are a welcomed step towards protecting both companies and individuals online," said Ben Desjardins, of Radware.

"However, these proposals are reactionary and only address attacks where the damage is already done. The government also needs to be more focused on what it can do to proactively prevent future cyber attacks from wreaking havoc on American businesses, infrastructure and individuals."

The biggest problem security experts and researchers have with the Obama administration's proposed legislation are the changes to the Computer Fraud and Abuse Act (CFAA).

Indeed, when it comes to the CFAA itself, the security community is right to be concerned. At the same time, the proposed changes aren't going to be passed overnight.

Salted Hash has spoken to insiders who are working to get better language into the CFAA proposal; language that will protect researchers and professionals alike as they work to secure a nation, but so far the task has been challenging, monumental even.

The current proposed changes to the CFAA were drafted – and defeated – in 2011. In fact, it wasn't until after the Thanksgiving holiday in the U.S. that the Obama administration put the CFAA back onto the table.

Considering everything that has happened in the past three years on the security front, especially all that happened in 2014, cyber security has been moving up the agenda both in the White House and Congress. The Obama administration had already been looking at drafting cyber security legislation, but when Sony happened it completely escalated the prioritization and the timeline.

Usually, interested parties in Congress are given proposed legislation ahead of time for comment, and committees will turn to insiders (including InfoSec people) and seek answers to questions while working towards a middle ground.

However, when it came to the CFAA there was no such comment period. That period started the moment the public first viewed the proposed changes.

"The current proposal for updating the CFAA does raise some significant concerns for the security community, particularly around implications for research. This needs to be fully investigated as research is a critical part of preventing attacks - we need to find, understand, and mitigate the vulnerabilities in our systems to limit opportunities for attackers. I believe the Administration understands this, and I'm hopeful that they will work with the security community to find a way of supporting research within the CFAA," said Ellis.

"It's important to remember that this is an initial proposal for updating the CFAA and we're now entering a period of consultation where various Congressional and Senate committees will be looking at the goals and evaluating the language to see what will work and what won't."

Therefore it's critical, she added, that the security community participates in this process in a constructive way.

"We share a common goal of improving cybersecurity. We need to remember that we understand security in greater depth and detail than most, so if we want to see the right approach taken we need to share our expertise."

If you want the CFAA to be corrected, the only option is to get involved. Simply complaining isn't going to solve anything. The first step is to contact your representatives, express your concerns and – if you have the inclination – offer your expertise.

The last time similar legislation was proposed, it failed. However, there is a mentality of "strike while the iron is hot" in Congress, so failure isn't assured this time around.

The EFF outlined the CFAA situation in a blog post earlier this month; it covers the history of the proposal and offers a summation of the law as it stands. It's worth a read if you're looking understand the situation before taking action.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)