Obama’s New Cybercrime Proposal Could Put Onus on IT Orgs

It appears President Obama’s forthcoming legislative proposal to crack down on cybercrime could impose additional liabilities on IT pros in that there could be penalties for not putting in place the proper policies, auditing practices and reporting of breaches.

The President this week spoke on his plans to propose the new legislation aimed at stiffening the penalties for all forms of cybercrime that put the nation’s critical information infrastructure at risk as well as individual privacy, he said in a speech Tuesday. Obama will emphasize his legislative proposal to Congress in his annual State of the Union address.

“We want to be able to better prosecute those who are involved in cyberattacks, those who are involved in the sale of cyber weapons like botnets and spyware,” Obama said in Tuesday’s speech. “We want to be sure we can prosecute insiders who steal corporate secrets or individuals’ private information. We want to expand the authority of courts to shut down botnets and other malware. The bottom line: we want cyber criminals to feel the full force of American justice because they are doing as much if not more these days as folks who are involved in conventional crime.”

The White House also announced it will host a cybersecurity and consumer protection summit at Stanford University on Feb. 13, which will include speeches, panel discussions and a number of topic-specific workshops. Stanford said it is still finalizing details of the summit.

In addition to calling for better information sharing, the legislation will call for compliance with “certain privacy restrictions such as removing unnecessary personal information and taking measures to protect personal information that must be shared in order to quality for liability protection.” According to an outline on the White House Web site, the President will also propose giving law enforcement tools they need to “investigate, disrupt and prosecute cybercrime.”

The administration has also revised an existing proposal pertaining to security breach reporting “by simplifying and standardizing the existing patchwork of 46 state laws (plus the District of Columbia and several territories) that contain these requirements into one federal statute, and putting in place a single clear and timely notice requirement to ensure that companies notify their employees and customers about security breaches.”

Over the next five years, the Department of Energy will also provide $25 million in grants to fund the training of cybersecurity professionals. The move, of course, comes amidst growing concerns about high-profile breaches over the past year including Target, Home Depot and most recently Sony, among others.

Yet the President is sure to face a battle, especially as it relates to information sharing, where the IT industry is fighting to ensure customer privacy and civil rights. For its part, Microsoft has led that fight in its battle to protect data residing on servers in Dublin, despite last year’s court order mandating the release of that information. The Electronic Foundation, the non-profit organization focused on protecting civil liberties, swiftly denounced the President’s proposal.

“President Obama’s cybersecurity legislative proposal recycles old ideas that should remain where they’ve been since May 2011: on the shelf,” according to a statement it released following Obama’s proposal. “Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.”

But the White House isn’t alone in its effort to crack down on cybercrime. New York State Attorney General Eric Schneiderman yesterday said he plans to propose legislation that would require companies to inform customers and employees following any type of cyberattack or breach. The legislation would also broaden the scope of data companies would be required to protect, impose tighter technical and physical security protection and offer a safe harbor for organizations meeting certain standards, according to a statement released by the AG’s office. “With some of the largest-ever data breaches occurring in just the last year, it’s long past time we updated our data security laws and expanded protections for consumers,” Schneiderman said.

While it’s good that cybercriminals will face harsher penalties for their crimes — and they should — it’s not likely to thwart those determined to inflict the most harm. Still, no one wants to be the next Target or Sony. As the content of this new legislation is debated, it also puts enterprises on notice that they will need to take measures to protect their critical data — for their benefit and for everyone else.

Sourse: redmondmag.com