Reactions to White House proposals mixedcybersecurity legislative proposals the White House put before Congress on Thursday that would replace 47 state data privacy laws with one sweeping federal data breach notification law.
In a statement posted on the White House blog on Thursday, White House Cybersecurity Coordinator Howard Schmidt, referred to the proposals as "a milestone in our national effort to ensure secure and reliable networks for Americans, businesses, and government."
Senate Majority Leader Harry Reid, D-Nev., said the president's proposals will be an important part of the effort to protect computer networks.
Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), and Tom Carper (D-Del.), who have also proposed cybersecurity legislation in the Senate, gave the president high marks for the effort. In a joint statement, they said, "The White House cybersecurity proposal released today is a welcome and necessary addition to the work we have been doing for the past several years to safeguard the American people from a cyber 9/11."
But not all lawmakers were pleased with the proposed legislation, and the criticism was not just coming from the Republican side of the aisle.
Rep. James Langevin, D-R.I., who along with Rep. Mike McCaul (R-Texas) founded the Congressional Cybersecurity Caucus in September 2008 (both were also co-authors of the landmark report, Securing Cyberspace for the 44th Presidency), faulted the new proposal for not creating an Office of Cyberspace with a Senate-confirmed director in the White House, as outlined in several bills before Congress.
Other experts cited recent, major breaches as wake-up calls that improved legislation over cybersecurity matters is necessary.
"The proposed new law still provides few incentives, and even fewer legal requirements, for the private sector to provide appropriate security for sensitive personal information," Fred Cate, director of the Center for Applied Cybersecurity Research and distinguished professor at the Maurer School of Law, said in a statement. "In the wake of massive data breaches at companies like Epsilon and Sony, it's clear those businesses and organizations aren't doing their part," he said.
While the Obama administration has recognized that cybersecurity poses a severe threat to the government, industry, and individuals, the president has consistently refused to provide legal incentives for industry to invest in good information security, Cate added.
Other voices from within the security and legal communities had praise tempered with caution.
"The Obama administration has been working over the last two years to put together a policy structure that will enable us to protect critical infrastructure from cyberattacks," Nicholas Percoco, SVP and head of SpiderLabs at Trustwave, a provider of compliance management solutions, told SCMagazineUS.com on Friday. "Based on their own assessment, it appears much of this framework has been put in place."
Going forward, Percoco said action from both the public and private sectors is needed to improve the cybersecurity of our country's critical infrastructure.
"Appointing people to positions and writing policy documents will not protect the United States from a cyberattack," he said. It is the implementation of such initiatives and commitment to cybersecurity will make the real difference."
David Seltzer, a South Florida criminal defense attorney who specializes in cybercrimes, told SCMagazineUS.com on Friday, that he believes the legislation is needed, especially in light of the Sony breaches last week. For businesses, it could eliminate confusion that stems from having so many different state data breach notification laws.
"As a corporation, unified regulation should make it easier than individual state variances," Seltzer said.
But, he added, the government should not have any direct involvement in how companies operate and secure their data. Instead, it should be an advocate for touting the consequences of inadequate cybersecurity which can lead to breaches.
In a statement, Rob Rachwald, director of security strategy at Imperva, said the proposed legislation is a step in the right direction, but could use more specific details. "In some key areas, the proposal is a 'plan for a plan,' as opposed to prescribing specific, actionable steps to protect data, intellectual property and infrastructure.”