President Obama steps up the fight against cyber threats

When President Obama stepped up to the podium to give his annual State of the Union speech in January, he gave cyber security experts a glimmer of hope that their fears of massive harm were finally being considered as a great threat to the nation.

Sandwiched between comments on diplomacy in Iran and the Ebola epidemic, the President said that if the US government did not act to improve cyber defences, "we'll leave our nation and our economy vulnerable".

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids," he said to applause.

Then, last week, Mr Obama ratcheted up his response, declaring foreign cyber threats a "national emergency" and taking action to pave the way for sanctions against those who engage in cyber attacks that endanger America's national security or economy.

His executive order gives the government new powers to target significant cyber threats that affect critical infrastructure, disrupt the availability of websites or networks or steal trade secrets and financial information, such as credit card data.

Cyber criminals could face new potential punishments including having any US bank accounts or other assets frozen and banning US entities or people from doing business with them.

But legislating against hackers is difficult. As cyber attacks hit companies from Sony Pictures to US retailer Home Depot and cyber criminals infiltrate IT networks and countries, lawmakers struggle to keep up and find ways to limit the damage they cause.

Corporations are desperate for support against the fast-changing threat but, so far, many feel they must rely on private cyber security companies rather than government or law enforcement.

This report shows the scale of the problem. Kris Lovejoy, IBM's chief information security officer, argues it should be compared to "biological warfare". Speaking at a cyber security conference in Israel, as our Jerusalem correspondent writes, she said: "Everyone is infected - everyone - [and] the bad guys are in our organisation."

The answer lies not only in technological solutions, which government often finds difficult to implement, but also in people and processes, cyber experts argue throughout this report.

Amit Mital, chief technology officer at Symantec, the internet security company, says that people are often the weakest link. This is backed by David Emm, principal security researcher at Kaspersky Lab, the software security group, who argues that passwords are usually breached because of human weakness, not sophisticated technologies.

Tony Cole, global government chief technology officer at FireEye, a New York-listed cyber security company, says people need to change how they think of cyber attacks.

"The biggest thing people need to understand is we don't have a malware problem, we have an adversary problem," he says. "Adversaries are always looking for new holes and there are hundreds of millions of lines of code in everything we have out there."

The numerous agencies that are being created to swap tips will help, Mr Cole says, but they must focus on the hackers, not just signs of breaches. Mr Obama's proposals are encouraging, "but there's still a very long way to go."

In January the president proposed three strands of legislation, hoping Congress will help him make them law.

First, he wants to improve information sharing, to ensure potential targets co-operate to understand hackers, just as the criminals swap tips on underground forums. Organisations will be created to help companies share information with government by limiting their liability to privacy lawsuits if they do so. He also wants to create a centre to share data between government agencies and industry organisations for companies to swap knowledge with peers.

<

The tabular content relating to this article is not available to view. Apologies in advance for the inconvenience caused.

Third, he wants to increase penalties under the Computer Fraud and Abuse Act, in an effort to deter hackers within US borders. The executive order announced last week adds to these three, giving the US a way to use sanctions to impose penalties beyond its borders, but still only if the hackers are doing business with any US entities.

Cheri McGuire, head of global government affairs and cyber security policy at Symantec, is cautiously positive about the proposals. "I'm always optimistic when there is a focus, particularly at the beginning of a new Congress, on the issue of cyber security. But I'm also cautious in that we want to make sure any legislation that is eventually passed is smart legislation," she says.

Ms McGuire adds that in some areas, such as surveillance reform, the government is not being "aggressive enough" and that it is important not to see information sharing as a "silver bullet". She wonders whether giving liability protection to encourage companies to talk about breaches really would incentivise sharing. If not, companies may be given protection they do not deserve.

"The concern is that, if liability protection is too broad, then somehow organisations will feel they are not responsible for securing their own systems, for making sure they have the best security in place," she says.

For Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society and a specialist in cyber law, the problem is broader. She questions the government's whole approach to the cyber security problem.

"The diagnosis is wrong and the remedy doesn't fit the diagnosis," she says. "Sony Pictures gets hacked [allegedly] by North Korea, so we increase the penalties in the Computer Fraud and Abuse Act. North Korea couldn't care less what the penalties are. It is not getting prosecuted."

Ms Granick worries that information sharing will damage individuals' privacy as data on internet activity could potentially be used by other areas of government. On the data breach notification, she sees the proposed Federal statute as "less protective" than existing state laws, as most US companies have to comply with the strictest state law, that in California.

Ms Granick is concerned that increasingly hefty penalties could be used against security researchers, who probe vulnerabilities in systems to discover ways to fix them.

Instead of piecemeal regulation, she suggests cyber security should be looked at in the same way as one would a public health issue. Companies should be pushed to have a basic level of security - for example, encrypting data and updating software - that would help stop less sophisticated attackers who are rife in networks.

"I think we're in a phase where looking at this as a criminal problem is not productive - we need a different framework, more like a national health model," she says. "It is a network we all depend on and it should be safe in the same way we keep the highways or electricity safe."

© The Financial Times Limited 2015. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation