Grading the President’s SOTU Cybersecurity Agenda

In the wake of the furor over the Sony Pictures attack, President Obama came out swinging in his State of the Union speech earlier this week. Not to be outdone, Senator Joni Ernst (R-Iowa) included a cybersecurity-centric sentence or two in the Republican’s response.

Yup, the President is finally rolling up his sleeves and proposing some Federal cybersecurity initiatives, but are these the right actions? Allow me to offer my two cents by grading each of the proposals.

1. Increased security/threat intelligence between the public and private sector (Grade = B-)

This is a new spin on the old “public/private partnership” that arises from time to time across a myriad of areas. Furthermore, Congress has been wrangling over this for the past few years – first with the Cyber Intelligence Sharing and Protection Act (CISPA) and more recently the Cybersecurity Information Sharing Act (CISA). 

So what’s the problem? Neither of these bills went far enough with privacy protection so the Feds need to work harder. Aside from this, there is already plenty of intelligence sharing going on and most intelligence sharing is pretty elementary (i.e. emails of IP addresses, file hashes, etc.). For this effort to succeed, the Feds need to support and promote some type of automated cyber intelligence sharing effort based on things like STIX/TAXII, FS-ISAC Soltra, or MITRE’s Collaborate Research Into Threats (CRITs). Finally, the Feds don’t have an especially good track record on timely threat sharing. According to a recently published GAO report, US CERT was often weeks behind the private sector in its publication of software vulnerabilities over the past few years. Cyber intelligence sharing will fail unless this lax execution improves.

2. Establishing a Federal breach notification law (Grade = A-).

Forty seven states have individual data breach laws of one form or another. While these laws protect the personal information of citizens, they can also exacerbate the cost of a data breach by forcing organizations to comply with a potpourri of state laws. Consolidating this amalgamation into one federal standard makes sense, but only if the federal law is written to be as tough as the toughest state law on the books. My fear is that lobbyists convince Congress to water down the federal law, resulting in a big step backward for data protection and privacy.

3. Bolstering law enforcement’s ability to investigate and prosecute cybercriminals (Grade = B).

This is a good thing if it means increased federal funding for equipment, staffing, and training of federal, state, and local law enforcement. Alternatively, it’s a bad thing if it involves more government snooping and less personal privacy. We’ll see.

4. Funding cybersecurity education programs (Grade = C).

Earlier this month, Vice President Biden announced a $25 million Dept. of Energy grant to support cybersecurity education programs at 13 historically black colleges and two national labs. While I’m all for federal funding for cybersecurity education, the feds continue to throw money around haphazardly. What’s needed is a national cybersecurity education strategy that establishes specific universities as centers of cybersecurity excellence in order to produce the next generation of cybersecurity leaders.

5. Announcement of a cybersecurity summit at Stanford University on February 13 (Grade = D).

OK, maybe I’m bitter about this one as I haven’t been invited, but in my experience, federally led “summits” are nothing more than schmooze-fests for lobbyists, fund raisers, and rich fat cats. This event will produce some slick YouTube videos and little else.

I applaud the President for getting cybersecurity on the table, but the feds need to do more and soon. See my January 5th blog post for more details on what needs to be done.