“The government’s not nearly done what it should,” said Fred Cate, Indiana University professor of law and senior fellow with the IU Center for Applied Cybersecurity Research. “We have no obligation to protect data.”
Compare it to a car: There are safety measures that need to be in place, such as seat belts and air bags, tests that need to be done and other requirements met. But for cybersecurity, none of those safety rules and regulations exist, Cate said.
And attacks are becoming more sophisticated and strategic. Cate pointed to the recent security breach at Sony and how information was “rolled out” over a period of days, a kind of orchestrated event.
“When we think about the risk of attacks, what we are seeing a lot more of are organized attacks,” Cate said.
President Obama raised the issue in his State of the Union speech, calling for legislation to encourage information sharing between businesses and the government. Committees in both the U.S. Senate and House have met this week to discuss cybersecurity.
Information sharing has been the key piece of cybersecurity legislation for a number of years, Cate said. Sharing information can lead to better cybersecurity, giving businesses an idea of how others were attacked and where holes could exist in security systems.
It can be useful even if an attack is not successful, too, just to give a heads-up to businesses about how a crime syndicate may be attacking.
“It’s what we think of as asymmetrical warfare,” Cate said. “If you’re the defender, you have to win every time; if you’re the attacker, you only have to win once.”
The proposed legislation is mostly focused on information gathering, not necessarily on protection.
There’s also some reluctance on information sharing legislation because of civil liberties concerns about companies sharing customer data, especially with the government.
Government may also be reluctant to share its information with private industry. Cate said cybersecurity information is usually classified, and would have to be declassified in order to share.
There are other things the government could do besides information sharing.
Companies could be held liable for money lost by other companies and individuals because of a data breach.
These changes may be unlikely from Congress, though.
“Every year, after every major attack, we say ‘This will be the year,’ and in a rational world, it would,” Cate said. “But Congress and the president — it isn’t rational. It’s really just a crap shoot. It’s like rolling dice.”
Cyber protection may come from an executive order by the president or cases pending with the Federal Trade Commission, which could determine whether bad cybersecurity is a bad trade practice.
The biggest problem regarding data security is people themselves. Most breaches have a human element, Cate said — someone clicks on a link they shouldn’t, someone accidentally turns over their password to a hacker.
Cate said more research is needed in cybersecurity, but there’s very little funding for research right now compared with other government areas.
Money could also go to education. Cate suggested starting education about data security in elementary schools, alongside topics such as fire safety.
Diverting more money to research could produce more concrete protection ideas, which is the biggest problem right now. With attacks coming from all corners of the world and taking many forms, it’s hard to give legislators an all-encompassing solution for data protection.
“It’s lots of information — it’s part of what makes cybersecurity so hard to deal with,” Cate said. “Nobody’s got a silver bullet.”
©2015 the Herald-Times (Bloomington, Ind.)
