UPDATED 16:32 EDT / MAY 20 2011

White House CyberSecurity Legislation Underwhelms

The anticipated legislation from the Whitehouse on cybersecurity was delivered late last week.  As our preview had pointed out, it has fallen short of an effective policy for the nation altogether.  It hardly seems like the product of a policy two years in the making.  The new law has few legal requirements and little incentive for the private sector to take on better security initiatives and better protection of data.   The main focus of the policy appears to center on joint efforts between industry, states, and the federal government in the event of intrusions, in planning, and the sharing of information.  As we have seen in the ongoing Sony Playstation network hack, that scenario is obviously a public relations nightmare for Sony.  I couldn’t imagine them going to the government with much information on this, particularly with consumer data and the scope of the exposure being  part of that information.
Without significant legal aspects of this plan for the private sector, then the legislation provides nothing more than a mission statement to which the industry has no incentive to move towards.  The beef with this is that two years in the making and it just does not seem be very broad, nor can it be deemed an effective strategy.  For reasons that are still not clear, there seems to be a refusal from lawmakers to step in and protect the infrastructure of this country and the information of its citizens.  I understand that such a thing would need to be done in collaboration with business, but continuing to stand by on the sidelines when these types of compromises are continuing to come up in the news makes this even more egregious in these times.

Technology is but one component of what should have been addressed.  To be clear, the deployment and utilization of technology to secure networks is absolutely there.  There are people and businesses doing it and doing it right.  However, you can’t fix people and you can’t change profit motive.  Those types of things trickle down through an organization.  Leadership has to buy into this.   Therefore significant law has to drive adoption.   All of these things accounted for would have driven new laws in this area.  In summary, the only significant law to come out of this is the National Data Breach Reporting component.  As stated, its goal is to help standardize the existing state-level laws across the 47 states that have enacted such reporting.  Nothing really effective here, except potentially for those three other states that do not have such laws.

After over two years of recommendations, and a stated priority of enacting better cybersecurity by this administration, this plan falls short in effect and is underwhelming in just about every way imaginable.  The private sector is certainly not screaming for legislation, but the security professionals across the public and private sectors should probably look for more significant leadership in this mission.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU