What with President Obama rolling out his various proposals for new laws and executive orders to help protect America from online attacks, this is a big week for cybersecurity. Or at least it should be.
But the reality is that even if implemented, the proposed legislation and other actions would likely do little to make American companies or individuals safer. The only real benefit is likely to be raising the overall awareness of online vulnerabilities, just as the TSA's airport security rigmarole may not actually catch weapons or terrorists, but still makes it abundantly clear that aviation is a risky business that needs to be approached with appropriate caution.
On Monday, Obama announced the Personal Data Notification and Protection Act, which would establish a "30-day shot clock" requiring companies to notify consumers if their personal data has been compromised. He also called for a Student Data Privacy Act to prohibit companies from making money on information collected from digital education products.
On Tuesday, Obama went further, proposing updates to the Racketeering Influenced and Corrupt Organizations (RICO) Act to apply to cybercrime. In addition, selling stolen U.S. financial information overseas would become a crime, as would selling or renting botnets engaged in DDoS or other attacks. And the courts could order shutdowns of botnets implicated in criminal activities.
Obama also proposed giving companies partial immunity from lawsuits if they promptly forward cybersecurity data to the Department of Homeland Security, which would then share it with the FBI, the NSA, and the Secret Service, as well as some private-sector security organizations. He also called for Homeland Security and the Attorney General to "develop guidelines for the receipt, retention, use and disclosure of cyber threat data within the federal government."
Irrespective of the obvious and significant privacy concerns raised by these moves, though, it's hard to see how they will make a dent in the kinds of attacks now grabbing the headlines.
The proposals, so far, seem to be all about information sharing and prosecution, not about hardening potential targets or thwarting potential attackers before they strike. For example, there was no word on offering financial incentives to companies (or individuals) to strengthen their cybersecurity measures. According to many experts, information sharing alone won't be nearly enough to abate the threats.
Similarly, it's unclear how concerned foreign nationals, much less foreign nations, will be about U.S. legal injunctions. I mean, what are we going to do, arrest Kim Jong-un for hacking Sony? Invade China or Russia (or even some tiny Balkan state) because they might be harboring hackers?
It won't be easy, but the only real protection is to find ways to stop these attacks from succeeding—or dissuade them from even being attempted—not just trying to tell everyone about those successes and punish the perpetrators after the fact.