Obama's Tact Underrates His Cybersecurity InfluenceComplaints Voiced on Tardiness of President's Infosec Proposals
Alan Paller, research director at the SANS Institute, characterized the White House cybersecurity legislative package as highly catalytic. "The Senate has been stuck, in a sense, that they weren't willing to move forward with cybersecurity legislation until they knew where the administration was going to come down on a different proposal," Paller says. "This will radically increase the pace for the comprehensive legislation that the majority leader asked key committee chairmen to do."
Senate Majority Leader Harry Reid, D-Nev., last year asked the chairmen of key Senate committees, each with a stake in cybersecurity legislation, to come up with a comprehensive legislative package senators can vote on. Shortly after the White House announcement Thursday, Reid predicted the Senate would vote on significant cybersecurity legislation this summer. In the last Congress, the House approved several significant cybersecurity bills; IT security legislation never came up for a vote on the Senate floor (see 111th Congress Fails to Enact Significant Cybersecurity Reform).
Obama isn't quick to act; he's very deliberate, often nuanced, characteristics that drive mad distractors and supporters, but in the end he seems to get what he wants.
Lawmakers look to the White House for cybersecurity leadership, and some of the strongest backers of cybersecurity reform didn't hide their disappointment on how long it took the administration to present its legislative package. Here's how Sen. Olympia Snowe, R-Maine, who has cosponsored a comprehensive cybersecurity bill with Sen. Jay Rockefeller, D-W.Va., put it (emphasis mine):
"While the administration's delay in providing critical input to the legislative process is regrettable, it is my understanding that the administration proposal parallels many of the objectives, particularly pertaining to modernizing the public-private partnership, that Sen. Rockefeller and I have advocated. ... It is imperative that the administration come before Congress very soon to brief us on the reasoning behind its proposals. I look forward to working with my colleagues in the Senate, House and the administration to swiftly pass comprehensive cybersecurity legislation as further delay compromises our ability to better protect Americans."
The House point man on all matters cybersecurity, Rep. Mac Thornberry, R-Texas, was as subtle as Snowe on the timing of the White House proposals: "I am pleased that the White House finally sent Congress its proposals on cybersecurity. ... Now that we have the proposals, we are going to study them carefully."
The exasperation of some lawmakers about the amount of time it has taken the White House to present its legislative agenda is understandable. In two weeks, President Obama will mark the second anniversary of his major address on cybersecurity (see The President's 10-Point Cybersecurity Action Plan ).
That delay has helped create a perception that the White House has failed to provide adequate leadership in cybersecurity. A survey of government IT security practitioners conducted by GovInfoSecurity.com earlier this year showed that two thirds of respondents felt the federal government failed to demonstrate leadership (see Gov't Infosec Pros Question Fed's Security Resolve).
Throughout his campaign for president, Obama was often chastised for not being more forceful on taking on some critics. And, political opponents called the president weak on terrorism until American forces killed Osama bin Laden. Obama isn't quick to act; he's very deliberate, often nuanced, characteristics that drive mad distractors and supporters, but in the end he seems to get much of what he wants. That could be the case with cybersecurity legislation, too.
Breach notification is a major component of Obama's legislative package (see Obama Offers Breach Notification Bill). Simply, the bill the president proposes would have federal law supersede those in nearly all of the states, something that would make it easier for businesses that conduct interstate commerce to comply with since they would have to focus on only one set of rules.
But if enacted, the Obama proposal wouldn't affect most healthcare organizations (see HITECH Act Applies to Healthcare; New Policy Would Apply to Others). "The policy would not apply to healthcare organizations and their business associates that already must comply with the HITECH Act breach notification rule, which has requirements that are somewhat similar (to Obama's proposed law)" writes my colleague Howard Anderson, executive editor of HealthcareInfoSecurity.com.
If not daily, at least weekly it seems another major breach occurs, providing more justification for a national data breach notification law. Tracy Kitten, managing editor of our sister website BankInfoSecurity.com, is breaking news about the expanding breach at the arts and crafts retailer Michaels Stores (see Michaels Breach Bigger than Reported). Michaels Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but revealed Tuesday that nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.