Cybersecurity Concerns Spotlight Obama's State of the Union Cyber Agenda

Two-and-a-half years ago, President Barack Obama evoked graphic images of the disaster a cyberattack on the nation's infrastructure could create if Congress did not pass cybersecurity legislation.

Two years ago, during his State of the Union address, Obama would announce that he signed a cybersecurity executive order placing the Department of Homeland Security in a key role protecting the nation's critical infrastructure.

For example, in 2014 DHS leveraged existing grant programs not dedicated to cybersecurity to bolster state and local cybersecurity initiatives.

Obama once again called for congressional action on cybersecurity during his remarks on Tuesday evening, but this time invoking the need to protect privacy and the economy.

Photo Credit: Shutterstock

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. So we're making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism," said Obama.

Obama's remarks come just over a month after the Federal Bureau of Investigation accused North Korea of orchestrating the cyber attack against Sony.

"And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children's information. That should be a bipartisan effort," he said.

While using his platform to call for shoring up the nation's cyber defenses might have been a highly anticipated segment of the speech, it should hardly come as a surprise.

Not only did the cybersecurity executive order initiate a two-year timeline for the government and industry to develop cybersecurity standards, but the White House accompanied it with yet another call for cyber legislation.

"The administration continues to believe that legislation is needed to fully address this threat," the White House said in a 2013 fact sheet about the executive order.

"Existing laws do not permit the government to do all that is necessary to better protect our country. The Executive Order ensures that federal agencies and departments take steps to secure our critical infrastructure from cyber attack, as a down-payment on expected further legislative action," said the White House.

AP

According to GovTrack's database, Congress has dealt with 488 cybersecurity-related bills since 1997. As of January 20, eight have been introduced during the new Congress alone; 93 were introduced during the 113th Congress.

Obama signed into law several cybersecurity-related bills in December 2014: the Federal Information Security Modernization Act, the National Cybersecurity Protection Act of 2014, the Cybersecurity Workforce Assessment Act, and the Border Patrol Reform Act.

And yet, for all of Congress' efforts, fights over cybersecurity laws continue, the nation's infrastructure remains vulnerable to attack and the administration's credibility on privacy suspect.

"Even as the federal government is forcing telephone companies to hand over phone call records of millions of Americans, and maintaining that a warrant should not necessarily be required to access private data stored in the cloud, the president is pretending that our real privacy enemy is the private sector," blogged Ryan Radia, associate director of technology studies the right-leaning Competitive Enterprise Institute.

"All the while, the White House has been sluggish at best in moving to amend outdated laws such as the Electronic Communications Privacy Act, USA PATRIOT Act, and Foreign Intelligence Surveillance Act," said Radia.

The slow speed of the legislative process presents a major hurdle for politicians and bureaucrats looking to intervene in the technology world. By the time a particular law governing the technology space is passed, it may already be obsolete.

A recently published survey by the global information technology association ISACA found that 46 percent of respondents expected their company to be hit by a cyberattack in 2015 and 83 percent believed that cyberattacks were one of the top three threats facing an organization.

Not only does the Internet's open architecture leave considerable room for hackers to exploit, but software vulnerabilities are inherent in the development process.

A 2012 study commissioned by development testing firm Coverity, for example, reported that three to 10 defects could be found for every 10,000 lines of computer software code.

The study also found that a software project could contain 1 million lines of code, meaning that at least 300 defects would need to be detected and corrected.

But as the Huffington Post reported, even looking for these vulnerabilities as a legitimate security researcher could be problematic under the Obama administration's plans to update an anti-hacking law.

Cybersecurity researcher Rob Graham argues in a piece in Wired that "the most important innovators this law would affect are the cybersecurity professionals that protect the Internet."

"If you cared about things such as 'national security' and 'cyberterrorism,' then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like 'hacking,'" said Graham.

"Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals," said Graham.

Certain penalties for violating the Computer Fraud and Abuse Act begins as misdemeanors. The administration wants the minimum penalty to be a felony with a minimum sentence of three years in prison.

The federal government was prosecuting Barrett Brown --- an investigative journalist, satirist, and former spokesman for the hacktivist collective Anonymous --- who faced 100 years in prison under the CFAA for allegedly posting a link to stolen data from private intelligence firm Stratfor.

The federal government dropped a majority of the charges in March 2014. Brown's sentencing is scheduled for January 22 regarding the alleged threatening of FBI agents.

In honor of the late Internet activist Aaron Swartz who was prosecuted under the CFAA, Wyden, and Rep. Zoe Lofgen (D-Calif.), sponsored Aaron's Law, which would have decreased the penalties in the CFAA, but failed to gain traction.

"I have deep concerns about adding any powers or penalties to the CFAA given how poorly this law is applied," said Sen. Ron Wyden (D-Ore.), according to the Huffington Post.

Josh Peterson is the National Technology Reporter at the Franklin Center for Government and Public Integrity.

–

TheBlaze contributor channel supports an open discourse on a range of views. The opinions expressed in this channel are solely those of each individual author.