This week, in the lead up to his State of the Union address, President Obama is talking about cybersecurity — how to ensure our safety in the digital world.
One key proposal sounds pretty straightforward: Companies should tell us — within 30 days — if our data has been hacked. But according to cybersecurity experts, that nice clean number doesn't address basic issues.
A Firm, Clear Deadline
If your data is stolen, it would be nice to know.
"You can protect yourself, or at least know that you're at risk when you know that you've been breached," says Davi Ottenheimer, an analyst with the data storage company EMC.
Ottenheimer, who has been auditing retail security for more than a decade, says that if a company doesn't give explicit warning, "you might not pay attention at all."
You can't sign up for credit monitoring, you won't know to read every line of your bank statement, looking for signs of identity theft — if the company that's been attacked doesn't tell you to watch out.
The history of cyberattacks is littered with examples of companies that didn't want to fess up — like when Wal-Mart waited until 2009 to admit it was hacked in 2005. "They need to be told when to notify people about being harmed," Ottenheimer says.
The U.S. already has a federal rule on health care breaches. Ottenheimer says this 30-day proposal, for consumer data, gives the company "reasonable enough" time to investigate. And it helps clean up the messiness created by all those state laws that say different things.
"It's going to have a huge impact because we've been working on the state level so far and every state has had its own interpretation," he says. "The feds may be more reasonable."
The Wrong Starting Point
A senior administration official describes the proposal as a "major push." And the National Retail Federation is "very pleased" to have one federal rule to replace the current patchwork, said Mallory Duncan, the group's general counsel.
But John Dickson, a security expert at Denim Group, says retailers may just be breathing a sigh of relief because Obama isn't demanding much. "There's nothing magical about the 30-day notification," Dickson says. "That is not an understood industry period. It's largely arbitrary."
The White House proposal is thin on key details, like: Do the 30 days begin when a company suspects it's been hacked, or when it confirms the fact? And who exactly has to tell consumers — the brand we know, like Target; or the subcontractor behind the scenes that may have been the weak link in the digital chain?
Also, if the data is super sensitive, Dickson says 30 days may be too long. "Is it just [your] name and address? Or is it name, address and Social Security number?"
Last year the White House announced voluntary standards for companies to follow to protect consumers' data. Dickson says some of those standards should be mandatory — like the idea that companies storing our data should regularly scan their networks for malicious code and get rid of it.
"These are the kinds of things that resilient companies and secure companies do. You regularly scan for vulnerabilities. You regularly try to identify holes before the bad guys do," he says.
Focus On Corporate Governance
Tom Brandl with DocuSign offers another idea: Make the big, publicly traded companies sign off on a cybersecurity audit every year — just like the Sarbanes-Oxley Act requires with financial information. That way, the top brass can't just say after a hack, "Whoops! I didn't know."
"Then there's some skin in the game too from a CEO perspective and a board level perspective," Brandl says. "There's an explicit acceptance and sign-off that, 'Yes, I'm responsible for these things.' "
So far, the CEO of Target lost his job over a data breach — but that's rare. Brandl says the White House could up the stakes for corporate governance in our digital times.
Transcript
AUDIE CORNISH, HOST:
President Obama is talking about cybersecurity - how to ensure our safety when we step into the digital world. One key proposal sounds pretty straightforward. Companies should tell us, in a timely manner, if our data has been hacked. By timely manner the president means 30 days, but some cybersecurity experts say the president's proposals don't address the core issues. NPR's Aarti Shahani reports.
AARTI SHAHANI, BYLINE: If your data is stolen, it would be nice to know.
DAVI OTTENHEIMER: That's correct. You can protect yourself or at least know that you're at risk when you know that you've been breached.
SHAHANI: Davi Ottenheimer, with EMC, has been auditing retail security for decades.
OTTENHEIMER: Otherwise, you might not pay attention at all.
SHAHANI: You can't sign up for credit monitoring. You won't know to read every line of your bank statement, looking for signs of identity theft, if the company that's been attacked doesn't tell you to watch out. The history of cyberattacks is littered with examples of companies that didn't want to fess up - like when Walmart waited until 2009 to admit it was hacked in 2005.
OTTENHEIMER: They need to be told when to notify people about being harmed.
SHAHANI: The U.S. already has a federal rule on health care breaches. Ottenheimer says this 30-day proposal for consumer data gives the company reasonable enough time to investigate. And it helps clean up the messiness created by all those state laws that say different things.
OTTENHEIMER: It's going to have a huge impact because we've been working on the state level so far and every state doesn't have their own interpretation. The Feds may be more reasonable.
SHAHANI: A senior administration official describes the proposal as a major push. And the National Retail Federation is very pleased to have one federal rule to replace the current patchwork. But John Dickson, a security expert with the Denim Group, says retailers may just be breathing a sigh of relief because President Obama isn't demanding much.
JOHN DICKSON: There's nothing magical about the 30-day notification.
SHAHANI: The White House proposal is thin on key details, like - do the 30 days begin when a company suspects it's been hacked or when it confirms the fact? And who exactly has to tell consumers, the brand we know, like Target, or the subcontractor behind the scenes that may have been the weak link in the digital chain? Also, if the data is supersensitive, Dickson says, 30 days may be too long.
DICKSON: Is it just, you know, your name and address? Or is it your name, address and Social Security number?
SHAHANI: Last year the White House announced voluntary standards for companies to follow to protect our data. Dickson says make some of those mandatory, like the idea that companies storing our data should regularly scan their networks for malicious code and get rid of it.
DICKSON: These are kind of things that resilient companies and secure companies do. You regularly scan for vulnerabilities. You regularly try to identify holes before the bad guys do.
SHAHANI: Tom Brandl, with Docusign, offers another idea. Make the big, publicly traded companies sign-off on a cybersecurity audit every year - just like Sarbanes-Oxley requires with financial information. That way the top brass can't just say after a hack, whoops, I didn't know.
TOM RANDL: There's some skin in the game, too, from a CEO perspective and a board level perspective in that there is an explicit expectance and sign-off that yes, I'm responsible for these things as a CEO.
SHAHANI: So far the CEO of Target lost his job over a data breach, but that's rare. Brandl says the White House could up the stakes for corporate governance in our digital times. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.
300x250 Ad
300x250 Ad