The White House released a proposal for cybersecurity legislation today. The fact sheet can be found here. This is a proposal for legislation – a framework for a bill. What final bill emerges and gets voted on, and ultimately becomes law (if anything does), is yet to be determined. I have only read through the fact sheet, so here is my preliminary analysis.
1. This goes beyond CIP (critical infrastructure protection).
The proposal focuses primarily on critical infrastructure protection. But it also extends to the area of data breaches in general – which can hit organizations in any industry sector. Related to that, it also addresses consumer protections regarding data breaches. This added focus on consumer protection really has nothing to do directly with CIP. But the cybersecurity proposal is probably Obama’s best chance to get something like this through. However, I put the chances of these consumer protections surviving the legislative journey at less than 50%.
2. DHS is taking a lead role in security information sharing.
According to the fact sheet:
“Organizations that suffer a cyber intrusion often ask the Federal Government for assistance with fixing the damage and for advice on building better defenses…[This proposal] provides [organizations sharing information with the DHS] with immunity when sharing cybersecurity information with DHS. At the same time, the proposal mandates robust privacy oversight to ensure that the voluntarily shared information does not impinge on individual privacy and civil liberties.”
This is more than a mechanism to report attacks and gather attack data. This is designed to establish a hub for sharing security information of all forms among public and private sector organizations. Security vendors should get behind these efforts and in fact drive them, as it will improve the solutions landscape and your value to your customers.
3. Organizations in critical infrastructure sectors will have their IT security audited, and a summary of results may be made public.
“Critical infrastructure operators would develop their own frameworks for addressing cyber threats. Then, each critical-infrastructure operator would have a third-party, commercial auditor assess its cybersecurity risk mitigation plans. Operators who are already required to report to the Security and Exchange Commission would also have to certify that their plans are sufficient. A summary of the plan would be accessible, in order to facilitate transparency and to ensure that the plan is adequate.”
Companies that operate systems critical to the nation’s economy must develop plans for securing their systems and have to hire commercial auditors. This approach didn’t work out well in the financial industry, and cybersecurity and IT risk management is arguably as complex as some of the financial instruments and undiscovered systemic risk issues that led to the financial collapse.
The moderate degree of openness proposed makes sense. If cybersecurity is such a threat, whether and the degree to which a company is defending against therefore has a material impact on their business. So public companies should be disclosing this.
But there will likely be a lot of resistance to a mandate that this information be made public. Companies with good results might want that information public: e.g., to overcome customer concerns or to be more appealing to partners. But even those with good scores may want to keep that quiet rather than risk making themselves a target for attack merely by publicizing this fact.
4. This would establish federal data breach notification laws that supersede state laws.
This proposal would put a legislative umbrella over the patchwork quilt of state regulations on data breach disclosure. It wouldn’t supersede PCI or other contractual requirements one business partner puts on another. If the PCI body ever wanted it expanded into disclosure (not that that’s likely), it could still do so. It also appears that the laws would not extend beyond specific elements of PII. That’s a shame. Given what we’re seeing in the voraciousness of companies in collecting all sorts of data generated by people visiting their websites and using their apps, and the commensurate appetite of hackers for all that data, the focus on specific PII is unfortunate.
When it comes to data breach disclosure, there's a simple rule that should apply: If it’s worth stealing, then it’s worth knowing that it’s been stolen.
So what does all this mean for the security industry, critical infrastructure companies, and consumers?
- Auditors and security consultants. To auditors and consulting firms conducting assessments, this will bring them all sorts of new business from the critical infrastructure sector companies, analogous to what PCI brought them from companies holding card data.
- Security vendors. As with PCI, this will translate into direct mandate for certain security technology and services. Wall Street has already reacted to this announcement: Symantec rose 3.4%, Fortinet rose 1.5%, Accenture rose 1.3%, Check Point rose 1.3%, Juniper rose 3.8%, Sourcefire rose 1.2%, and Websense rose 1.5%. That translates to about a $2B collective increase in market cap.
- Consumers and Internet libertarians. They win by what this proposal wasn’t. It wasn’t used as an opportunity to legitimize or expand warrantless searches of consumers’ communications, devices, or online data, nor to support heavy-handed efforts to stem file-sharing.
- Security professionals. The US government was already one reason why market demand for experienced IT security professionals has greatly outpaced existing supply, and now it seems they’ll be more so.
- Consumers. Data protections will likely stagnate if they take power away from state governments. This will limit what needs to be disclosed when, the data types covered, and the potential compensation for the consumer victim.
- Critical infrastructure companies. Their cybersecurity initiatives are now going to have to answer to outside auditors, resulting in higher security investment, and will likely siphon money away from other security projects they may deem more business-relevant.