Obama Breach Proposal Draws Criticism From Many Camps
Adding to the problem is a tendency of companies to view security issues as being proprietary, which means companies are unlikely to share the details of a breach willingly. While the proposed legislation does provide for protection for companies that share breach data, that doesn't necessarily mean every company is going to comply. "My biggest worry is that a big company wouldn't want to report an attack," said Tom Chapman, director of Cyber Operations at Edgewave. While the proposed legislation might protect companies, it doesn't protect them in the court of public opinion, he said. Chapman noted that because of the nature of cyber-operations, a national approach is really what's needed, regardless of the laws in some states. "The geolocation of cyber is not necessarily fixed to one state or country," he said. Other groups have worried that the proposals don't provide enough incentives for companies to follow good cyber-security practices. However, what many of the objectors don't mention is that, in some cases, even a partially effective law is better than no law at all, and even partly effective practices focused in the right areas are better than none at all.The central issue is really about opening the previously closed door that hides breaches so that the extent of damage is known. That knowledge doesn't need to be an embarrassment to the company that was attacked (especially since nearly every company will be attacked eventually), but is necessary so that customers and business partners can protect themselves. Ultimately, this needs to be about more than just protecting a single company from embarrassment; it needs to be about protecting the resources of every other person and company, as well.
Unfortunately, a cyber-attack struck the U.S. Central Command at nearly the same time as the president's announcement, which immediately distracted nearly everyone from the true issue, which is to find a way to create a national response to the growing issue of cyber-attacks. Regardless of who was behind the hacking of the USCENTCOM's Twitter and YouTube sites (the hackers claimed to be ISIS, but almost certainly weren't), that event misses the central issue of protecting companies and their customers.