Secretary of Homeland Security Jeh Johnson looks at the Washington Monument through a window near the House chamber. Photo by Olivia Marcus/Medill News Service
WASHINGTON — President Barack Obama urged Congress to pass tougher cybersecurity protections in his State of the Union address Tuesday, and Republicans indicated they are willing to work with the president on the issue – one of the few that drew bipartisan support.
“Tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft and protect our children’s information,” Obama said, one of the few statements he made that earned applause from House Speaker John Boehner.
Tuesday’s speech echoed a speech Obama gave last week on cybersecurity legislation at the National Cybersecurity Communications Integration Center. Obama told that audience that after meeting with Boehner and Senate Majority Leader Mitch McConnell, “I am confident that we should be able to craft bipartisan (cybersecurity) legislation soon.”
Sens. John McCain, R-Ariz., and Lindsey Graham, R-S.C., said they are ready to work with the president on cybersecurity legislation while criticizing the rest of the national security policies he listed in his speech.
The motivation in the White House and Congress to improve cybersecurity comes from a perceived vulnerability in the nation’s critical infrastructure, including water, electricity and transportation systems. Because so many of these operations are controlled by computers, they are vulnerable to crippling cyberattacks.
For some Americans, issues of cybersecurity and information sharing online raise privacy concerns about whether the information they put online is secure. According to a Pew Research Center study released this month, 91 percent of American adults feel consumers have lost control over the way companies use their personal information.
Rep. Robert Wittman, R-Va., a member of the House Armed Services Committee, highlighted some of those concerns in his response to Obama’s proposals.
“I do think there are significant issues that have to be addressed with individuals’ liberties, their freedoms, their own privacy,” said Wittman, chair of the committee’s Readiness Subcommittee.
He called for vigorous debate on balancing the government’s constitutional responsibility to protect the country with its responsibility to preserve individual freedoms. “That, to me, is critical to who we are as a nation,” he said. “We can’t go to the extreme.”
Professor Scott Shackelford of Indiana University said that the strategies the president proposed to reduce cyberthreat vulnerabilities are being employed in the private sector to a certain extent.
“I don’t think it should be oversold how much (Obama’s proposals are) going to change the status quo,” said Shackelford, a cybersecurity expert and author of “Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace.”
The president has emphasized that cybersecurity strategy is both a public and private sector issue.
Major breaches at companies such as Home Depot and Target have made private firms increasingly aware that they need to protect themselves against breaches, but not all have the appropriate policies in place, Shackelford said. “Basically, the status quo is unsustainable in a lot of ways,” he said.
In February 2013, the president said that the structures for sharing cybersecurity information and responding to attacks needed to be improved. In response, the National Insititute of Standards and Technology released the Cybersecurity Framework in 2014.
Essentially, such frameworks bring together best practices, guidelines and techniques for recognizing and responding to cybersecurity threats. The Department of Homeland security simultaneously launched the C3 Voluntary Program last year to help use the framework.
The C3 Voluntary Program is designed to help participating organizations use the Framework’s guidelines. The idea is that those who choose to participate in the Framework, whether they’re from the public or private sector, share information about cyber threats and how they are addressing them in order to develop responses that can be used across the board.
