It's not about what Obama says, it's what enterprises must do

Administration's ongoing cybersecurity efforts will get revision next week, but what is still missing are details and progress
Written by John Fontana, Contributor

In the wake of last year's well-publicized hacks, President Obama is reviving, revising and developing new plans for protections in cyberspace.

Unfortunately, the proposals are long on policies and conversation and short on action items.

It's been a three-year Administration push thus far to improve cybersecurity, an effort clouded by a stubborn Congress and marked by painfully slow progress.

Over the past two years, hacks have actually declined in number while showing an increase in the number of records stolen as punctuated by the trove of data grabbed in the Sony breach. The signal going forward is fewer companies will suffer the pain of hacks, but those that do will be in sheer agony.

On Monday, Obama talked about his newest data breach proposals and the latest Consumer Privacy Bill of Rights. Tuesday, he linked those with liability protections for companies sharing with the government details of cyber threats, criminal penalties for captured hackers, and another think-tank conference.

He then cut out the heart, qualifying it all by indicating most of the changes would be voluntary for private companies. Missing were strategies to counter cyber attacks.

It's not a strategy that digs at the core of the problem, which is that most companies are vulnerable, not because of the sophistication of hackers, but the inattentiveness and often incompetence in protecting themselves.

It seems the cybersecurity solution may be more suited to a grass roots efforts born of CEO resignations, shamed companies, reputation damage and hijacked data.

Perhaps a Presidential Declaration for a special cybersecurity day would guarantee a bump in the number of more secure systems: Change Your Default Admin Password Day.

What's missing from Obama are the details toward securing data in a proactive way as opposed to playing defense against a faceless adversary, and accountability for those who fail to protect data in industry standard ways.

While Obama drew distinctions between consumer protection and enterprise hacks the truth is they both fall into the same cybersecurity context. Data has value; protect it.

The digital world by its very nature is an interconnected space with little division between private and work lives.

In the Target breach in late 2013, the phishing of a partner's email system led to the theft of credentials to more critical enterprise systems and a pipeline into Target that eventually resulted in separating consumers from their personal data.

"Accountable" should be a scary word for any company with a computer system. When courts begin to determine who pays for an indiscretion and why, accountability gets a monetary definition that acts as a strong motivator for safe data storage.

Target's breach bill could eventually top $1 billion -- 2.8 percent of its market cap.

But changes are easier said than done.

On Feb. 23, 2012, Obama announced the first Consumer Privacy Bill of Rights as part of a cybersecurity push, a year before Edward Snowden became a household name.

Across late 2013 and 2014, hacker attacks stole the headlines along with passwords and personal data.

On Jan. 20, Obama will give his 2015 State of the Union address and outline his new goals and initiatives.

But it will be 18-24 months until his words on cybersecurity might show tangible results or not.

Since 2012, "not" has been out to a noticeable lead.

Hacker photo courtesy of Chanpipat/FreeDigitalPhotos.net

Editorial standards