Cybersecurity will take center stage this week as Congress begins drafting legislation to address data breaches. In particular, they will be responding to President Obama’s call for a federal notification standard to alert consumers of breaches rather than, as the process currently stands, a separate state-by-state system. On Tuesday, hearings began in the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade with Chair Michael Burgess (R-TX-26) presiding over testimony from tech and retail companies. The issue will also be addressed by Chairwoman Barbara Comstock (R-VA-10) in the House Science Subcommittee on Research and Technology as they look at how the threat of cyberattacks is increasing.
We may not realize it, but our personal data is collected all the time. From the content of our emails to our shopping habits, very little we do on the internet is free from tracking. For example, Google’s Terms of Service indicate that “[their] automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”1 And we all remember the drama around Target’s ability to predict a pregnancy based on various items a customer has purchased. This also means that all of this data is sitting somewhere and is susceptible to a breach.
And as we’ve seen this year, these breaches are not uncommon. According to a December Wall Street Journal/NBC News poll, “[s]ome 45% of Americans say they or a household member have been notified by a credit card company, financial institution or retailer that their credit card information had possibly been stolen as part of a data breach” and “15% said either they or a member of their household had been hit by online fraud or hacking.”2 The Infosec Institute also points to a heightened risk for products in the category of smart devices (such as smartphones and fitness trackers) and “Internet of Things.” The reason for this, a post published by the institute says, is a lack of a “shared strategy to mitigate cyber threats.”3 This past year alone we saw many instances of our cyber vulnerability: breaches at multiple retail companies, celebrity iCloud hacks, and even attacks coming from foreign governments. The general message is that cybersecurity is an increasingly important issue and one that will only continue to gain relevance as technology becomes more personal and data driven.
What’s also so fascinating and exciting about cybersecurity is that it is one of the rare issues that has bipartisan support. Because of the publicity around the recent Sony hack and other data breaches this year, The Hill’s Cristina Marcos lists cybersecurity as the number one issue most likely to get through Congress and receive a signature from the President. She expands on this, saying, “House Republicans have passed cybersecurity bills in the last two sessions of Congress and have expressed an openness to working with the White House on the issue.”4 Lauren Fox of the National Journal agrees, pointing out that “[o]f all the areas ripe for bipartisanship…enhancements to cybersecurity top the list.”5 In fact, both subcommittee chairs who are considering the issue this week are eager to move forward on the issue. Congressman Burgess is expected to “urge lawmakers to act quickly, saying they have a short window with the public attention from massive breaches and the endorsement from Obama,”6 while Congresswoman Comstock has said that “[cybersecurity] is and should be a top priority for the new Congress.”7
So what’s being done? Well, the most high profile proposal comes from President Obama, who released his plan as a preview for his State of the Union address. His plan asks that companies voluntarily share certain computer data with each other and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. The hope is that this transparency will allow companies and agencies to more quickly recognize threats and breaches. The plan incentivizes companies to sign up for this sharing cohort by giving them “partial liability protections from lawsuits related to security breaches or privacy complaints from customers.”8 The President’s proposed legislation also seeks to establish a standard rule for notifying consumers of possible and confirmed breaches within 30 days.
As mentioned above, it is this part of the proposal that is being considered in Congressional hearings this week. There is some debate about the effectiveness of a single notification system with some privacy experts such as Woodrow Hartzog arguing that “critical data protection infrastructure will be weakened if federal legislation scales back protection, consolidates regulatory authority, and sets specific rules in stone.”9 Many companies, however, are in favor of the proposal “because it would streamline current notification standards that vary across states and the District of Columbia.”10
Cybersecurity is also an exciting issue because it provides a great opportunity for the public and private sectors to work together. In fact, many insist that it will take buy-in from both groups to come up with an effective solution. In a speech at the National Cybersecurity and Communications Integration Center, President Obama said, “Neither government nor the private sector can defend the nation alone… It’s going to have to be a shared mission — government and industry working hand in hand.”11 As we wrote in our post last week, Michael Breen agrees, believing “the problem will require a sustained collaboration between the public and private sectors.”12
This issue isn’t going away anytime soon and in fact, as technology enables us to share more and more data, it’s probably going to get worse if we don’t address it. Cybersecurity risks affect everyone. Hackers and thieves don’t discriminate between rich or poor, Republican or Democrat, black or white. While opinions may differ on the best way to promote cybersecurity, the message is clear: we need to all work together now to better protect our data.
1 Terms of Service. (2014, April 14). Retrieved from http://www.google.com/intl/en/policies/terms/
2 Yadron, D. (2014, December 17). Poll Shows Broad Impact of Cyberattacks. The Wall Street Journal. Retrieved from http://blogs.wsj.com/washwire/2014/12/17/poll-shows-broad-impact-of-cyberattacks/ 3 Paganini, P. (2015, January 26) Internet of Things: How Much are We Exposed to Cyber Threats? InfoSec Institute. Retrieved from http://resources.infosecinstitute.com/internet-things-much-exposed-cyber-threats/
4 Marcos, C. (2015, January 26). The do-something Congress? Ranking the most likely legislation. The Hill. Retrieved from http://thehill.com/blogs/floor-action/house/230621-what-will-congress-get-done
5 Fox, L. (2015, January 20). Can Obama Get Congress to Help Him Fight Terrorism? The National Journal. Retrieved from http://www.nationaljournal.com/politics/can-obama-get-congress-to-help-him-fight-terrorism-20150120
6 Will Congress Answer Obama’s Call for Data-Breach Law? (2015, January 27). The National Journal Tech Edge. Retrieved from http://www.nationaljournal.com/tech-edge/will-congress-answer-obama-s-call-for-data-breach-law-20150127
7 House turns to anti-hacker fight. (2015, January 26). The Hill Overnight Tech. Retrieved from
8 Volz, D. (2015, January 14). Obama’s Cybersecurity Plan, Explained. The National Journal. Retrieved from http://www.nationaljournal.com/tech/obama-s-cybersecurity-plan-explained-20150114
9 FTC shines spotlight on ‘smart’ devices.(2015, January 27). The Hill Overnight Tech. Retrieved from http://thehill.com/policy/technology/overnights/230936-overnight-tech-internet-of-things-report-leads-to-overload
11 Davis, J.H. (2015, January 13). Obama Calls for New Laws to Bolster Cybersecurity. The New York Times. Retrieved from http://www.nytimes.com/2015/01/14/us/obama-to-announce-new-cyberattack-protections.html
12 Verton, D. (2015, January 20). Obama’s State of the Union underplays cybersecurity challenge. FedScoop. Retrieved from http://fedscoop.com/state-of-the-union
Featured image via La Monica, P.R. (25 September, 2014). Hack attacks = big $ for cybersecurity IPO. CNN Money. Retrieved from http://buzz.money.cnn.com/2014/09/25/cyberark-ipo-hacking/