Ever-growing cybersecurity threats finally rise up the political agenda.
After more than a year of almost continuous high-profile hacks and data breaches President Obama is pushing ahead with a raft of legislative cybersecurity proposals in the US. Some of those key measures include:
- Stricter data breach reporting laws: Forcing companies to notify their employees and customers of a security breach within 30 days.
- Cyberthreat information sharing: A voluntary framework for the private sector to share threat and attack intelligence information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Centre.
- Stronger cybercrime law enforcement: Greater powers to prosecute cybercriminals and greater penalties for those caught.
When he first outlined these plans in his State of the Union address earlier this year President Obama said: “No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families.”
It’s useful to compare and contrast what is being proposed in the US with cybersecurity and data protection proposals in Europe. The proposed EU General Data Protection Regulation – which now looks like it will be delayed until at least 2016 because of ongoing disagreement between member states – is also proposing stricter breach reporting requirements and hefty fines.
While the US is talking about 30-day notification the EU GDPR draft legislation says companies need to inform those affected by a data breach ”without undue delay”, a timeframe that is currently proposed as 72 hours and fines of up to €100m for failure to comply.
Will those hefty fines be enough to force more companies to report data breaches? Worryingly, a survey we recently commissioned by Vanson Bourne found a third of European organisations would actually rather risk a fine than report a security breach because of the potential bad publicity and negative effect on the brand.
What we certainly do need, not just in the US but also in Europe and elsewhere, is more joined up threat intelligence and breach information reporting and sharing between governments, law enforcement and the private sector. It’s why we recently signed an agreement to collaborate and work more closely with Europol and why we co-founded the Cyber Threat Alliance (CTA) alongside some of our security industry competitors.
On that basis we should all welcome President Obama’s proposals and hope that others follow so that we can all work together to avert and prevent more attacks before the damage is done. But there is a lot of hard work ahead to achieve that goal. We need to make it harder for cybercriminals to carry out attacks and global collaboration and co-operation to investigate cybercrime backed by stronger penalties for those caught.