How Can We Beef Up Cyber Security?

Adam Segal sees new cyber laws as a real possibility:

Could this finally be the year when the Congress passes cyber legislation? I think yes. Public awareness of the threat is at an all-time high. The Sony attack has created pressure for Congress to act (though it is not clear that any of the legislation would have prevented the North Korean hackers from breaching the company). Moreover, there is bipartisan support for cybersecurity legislation. … [W]hile disparaging most of the President’s agenda, prominent Republicans like Senator Lamar Alexander of Tennessee have pointed to cybersecurity as an area where “we can get some agreement.” As in the past, privacy concerns will make or break the legislation, but we should expect to see real signs of progress.

Katie Benner examines the cyber proposals in Obama’s SOTU:

The Obama ideas with the most potential to bolster corporate security are his threat-sharing measure and the corporate disclosure rule.

As I’ve written before, collaboration is considered to be one of the best defenses against cybercrime, but a recent PricewaterhouseCoopers survey found that only 25 percent of businesses currently share information about attacks. Obama wants to encourage companies to share threat data with the government in order to get liability protection. … The disclosure rule isn’t useful because it increases security per se, but because it gives companies an incentive to pre-emptively beef up their defenses.

However, Timothy Edgar declares that no “proposal in Obama’s State of the Union address would truly hold companies accountable for cyber insecurity”:

If you are looking for effective ideas on this score, you would do better to listen to students here at Brown University where I’ve lately been teaching.

One student’s idea was to build on existing “bug bounty” programs in which software companies pay researchers money for uncovering security flaws by turning the federal hacking law on its head. Today, all intrusions—even “white hat” penetrations for security research—are illegal unless the system owner consents. A company with lousy security may threaten a security researcher with a lawsuit or jail time for pointing out a gaping hole in its defenses. What if Congress reversed this perverse law, requiring companies to pay ethical hackers for demonstrating vulnerabilities?