The State of the Union address and throwing the book at cybercriminals
A raunchy Seth Rogen flick strongly influenced the State of the Union address on Tuesday. I can safely add that to the short list of sentences I never expected to write. After the devastating attacks on Sony and on the retail chains Target and Staples (among others), it's no surprise that President Obama approached the lectern with a strong cybersecurity message.
The president said the administration is integrating intelligence to deal with cyberthreats "just as we have done to combat terrorism," and urged congress to pass measures that have been deadlocked on Capitol Hill. Although not expressly outlined in his speech, President Obama's proposals center on three main points.
First, to increase information sharing about attacks and breaches. Although there are already avenues to do this, the proposal calls for such avenues to be broadened and for companies who share sensitive information with the government to have targeted liability, meaning companies would ostensibly be more likely to share.
Second, bolstering legislation that criminalizes cybercrimes. Specifically, the proposal wishes to update the Racketeering Influenced and Corrupt Organizations act (RICO) so that organized crime and cybercrime would be seen in the same light. The sale of botnets would become illegal, the FBI would be allowed to shut down new botnets, and the sale of personal information overseas would become a federal crime.
Third, standardizing the period of time before a business was required to disclose a security breach to partners and clients who could be affected.
After the President announced the new proposals TechAmerica (the public sector and public advocacy department of CompTIA) came out in support of the measures in a press release. TechAmerica said it "applauds the President" and "supports the proposals" outlined, and expressed their opinion that the measures would "improve our national security, stimulate technological ingenuity, and protect the privacy of the American people." Among its many certifications CompTIA offers the CompTIA Security+, which might be the most well-respected foundational security certification in the field.
Not everyone, however, is pleased with the President's initiatives. The popular tech blog Gizmodo reported that President Obama's additions to the legal code would allow for more abuse of already-abused laws (abuse that contributed to the death of Aaron Swartz in 2013). The watchdog group Electronic Frontier Foundation worried over the privacy ramifications, while David Upton of the Harvard Review pointed out that most cybercrime gangs are located overseas, well beyond the federal government's reach.
The almost universal opinion of detractors is that the measures are redundant and unhelpful; for instance, none of these measures would have stopped or even mitigated the Sony hack. Information sharing is already occurring, with and without the government, without repercussion. (Upton points to the Retail Cyber Intelligence Sharing Center as an example.)
And most of what would become illegal is already illegal. It would simply become doubly-illegal, which (while sounding funny) would allow offenders to be prosecuted twice or even three times for the same crime (less funny).
The discussion demonstrates why IT security certifications are some of the most sought-after and marketable in the field. When push comes to shove, no matter what we do to catch and punish cyber criminals, it's far better if they can't get through in the first place.