President Barack Obama made clear in his State of the Union address earlier this week that he intends to push through new legislation aimed at tightening corporate cyber security standards across the U.S.
Just as the US's Sarbanes Oxley Act of 2002, designed to improve the accuracy and reliability of corporate disclosures in the wake of the Enron scandal, effectively forced companies wanting to partner or do business with US corporations to comply with its rulings, so Obama's proposed cyber laws are likely to have a global ripple effect across businesses outside America. Companies based in countries like the UK will need to tighten their own cyber security if they expect to do business with American firms which might otherwise see them as a weak link and potential vulnerability in their communications and data networks.
In his address to the nation on Tuesday (January 20th 2015), Obama said: "I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. That should be a bipartisan effort. If we don’t act, we’ll leave our nation and our economy vulnerable."
CISPA by any other name
Although he did not refer to the proposed Cyber Intelligence Sharing and Protection Act (CISPA) and other recent proposals by name, sources in Washington concluded that it was these measures which Obama intends to implement. This would effectively mean that all US companies will be obliged to report breaches in their cyber security to customers within a 30-day period and would allow companies to share cyber threat information with the Department of Homeland Security.
A nationwide federal law making the disclosure of cyber breaches obligatory across the US would replace the current patchwork of rulings which makes disclosure mandatory in some states but not in others. Once enacted, the new federal laws would also mean that companies outside the US will be forced to reassess their own security protocols. If, for example, a UK company elected to pursue a policy of non-disclosure of cyber breaches, it may find itself frozen out by its partners or clients in the US. Cyber crime does not respect national boundaries or laws and a significant proportion of successful corporate hacks use associate organisations as an entry point. American companies will, therefore, become wary of forging close links with organisations which do not meet their own increasingly stringent cyber security protocols.
If, for example, a UK company elected to pursue a policy of non-disclosure of cyber breaches, it may find itself frozen out by its partners or clients in the US. Cyber crime does not respect national boundaries or laws and a significant proportion of successful corporate hacks use associate organisations as an entry point. American companies will, therefore, become wary of forging close links with organisations which do not meet their own increasingly stringent cyber security protocols.
Some of the proposed new cyber legislation is likely to meet with opposition from those who are wary of too much government interference in their affairs. American civil rights group, the Electronic Frontier Foundation, warns that the proposed ruling would mean the U.S. Government having full access to innocent users' personal information. The foundation also warns that the Obama administration's plans to modernise the Computer Fraud and Misuse Act (CFAA) could result in prison terms of up to 10 years for those who carelessly divulge information such as passwords.
Many in the industry are also commenting that it is difficult to see how the proposed legislation could have prevented the Sony hack at the end of last year or the recent breaches of US Government websites. There are already calls for a different legislative approach such as making cyber insurance mandatory for all organisations. Although purchasing cyber insurance would do little in itself to prevent an attack, it could mitigate the ill effects for the company concerned and its customers. Before insurers will underwrite a cyber insurance policy, they generally require a detailed assessment of the company's security. This may involve penetration testing the organisation's digital defences. Weaknesses exposed during this process can then be corrected, making successful cyber security breaches less likely in the future. There would also be an added incentive for firms to avoid having cyber breaches in order to ensure their cyber insurance premiums are not dramatically inflated as a result.
There is, however, now little doubt that the U.S. Government is determined to police the digital frontier. Obama has already vowed to tame the online world, which he regards as a "Wild West". The U.S. president should, however, be wary of introducing laws without giving full consideration to their longer term impact.
Encryption and the authorities
Some of the legislative already mooted by those in authority could have potentially disastrous results. For example, James Corney, the director of the Federal Bureau of Investigation (FBI), recently heavily criticised companies such as Apple for embracing end-to-end encryption such as that installed on Apple's latest mobile operating system. His argument is that widespread adoption of encryption might prevent the authorities from accessing communications records even when a proper warrant had been issued by the courts. This was an idea eagerly snapped up by Britain's prime minister David Cameron. In the wake of the Charlie Hebdo terrorist attack in Paris at the start of the year, he implied that the UK government had plans to restrict the use of encryption.
The industry's initial reaction was to decry the introduction of an encryption ban as unworkable and potentially harmful to legitimate business. Cyber criminals and terrorist would easily be able to sidestep any new laws and penalties by routing encrypted communications via a proxy server. The only ones to be disadvantaged by an encryption ban would be legitimate companies who would effectively be obliged to make it easier for cyber hackers to access privileged information from their communications networks by sending unencrypted messages.
But, while political leaders struggle to come to terms with a virtual world over which they have limited control, businesses based outside the U.S. should keep a close watch on any new cyber legislation. As American companies start to adopt new cyber security protocols and standards, companies on this side of the Pond will increasingly find themselves obliged to follow suit.
By Stuart Poole-Robb, chief executive and founder of KCS Group.