After a brutal year of cyberattacks against companies including Home Depot and Sony, President Obama couldn't ignore security and data privacy during his State of the Union address on Tuesday.
Experts say they are thrilled cybersecurity is finally receiving top billing as one of the important issues Americans face -- but they are deeply concerned that the language in three new legislative proposals that are intended to protect consumers will inadvertently hamper their quest to stop cybercriminals.
"It was unprecedented for cybersecurity to be discussed so specifically in a major presidential address like this. It's fantastic," Chris Doggett, managing director at security firm Kaspersky Lab, told NBC News. "The world is finally waking up to how much damage attackers are doing not only to consumers, but to economy and infrastructure."
While Obama didn't explicitly call cybersecurity a national-security issue, his comments on the topic came in a portion of the address devoted to defending America -- sandwiched between discussions of Afghanistan and Ebola.
Obama said in part: "No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism."
Doggett was "really pleased the discussion was put in that context," he said.
But Doggett and other cybersecurity experts are less pleased about the way the Obama administration plans to carry out its goals.
The administration last week previewed -- and posted in one of the graphical slides that appeared alongside Obama as he delivered the address -- overarching cybersecurity and data policy initiatives and legislative proposals in three areas:
- increasing the sharing of cyberattack information between private companies and the government
- bolstering law enforcement's ability to investigate and prosecute cybercriminals
- and establishing a federal mandate for hacked companies to disclose breaches to customers within 30 days of discovering the hack.
While the proposals are in the very early stages, experts point out it's tough to legislate anything as complex and fast-moving as cyberattacks -- and they say the way some of the proposals are written will have unintended effects on the people trying to stop the attackers.
'Scary as hell'
"The ideology is good. I think everyone involved can get on board with trying to protect the consumer," said Terrence Gareau, chief scientist at Nexusguard, a firm that helps companies defend against cyberattacks. "But the way some of this is written, especially the law enforcement part, is scary as hell for someone like me."
That's because companies hire people like Gareau to hack into their systems and tell them about the holes that could allow a malicious attacker to get in. But the new law enforcement proposal "would make me a criminal if I did that," Gareau said.
Chris Hadnagy, founder of the consultant group Social-Engineer, Inc., agreed: "It would make 90 percent of what we do illegal. If you're trying to get the bad guys, you can't keep the good guys from doing their jobs."
Experts were more sanguine about the third proposal: a federally mandated reporting timeline for companies that have experienced a breach. The current patchwork of breach-disclosure laws across 47 states vary from specific "shot clocks" that mandate a certain time period to vague direction that companies release information "in the most expedient time possible."
"There is merit to having a broader approach at the federal level because of the nature of the cyber domain," Mike Walls, the managing director of security operations at security-software maker Edgewave, told NBC News via email. "There are no state borders in cyberspace ... So it seems reasonable to elevate policy to a higher level to establish minimum standards."
Still, Hadnagy and Gareau are concerned 30 days could be too short a timeline for companies that suffer a major penetration into their systems.
"It can take weeks and weeks to figure out what exactly happened [during a hack] and what was affected," Hadnagy said. "You don’t want [a company] to have to say, hey guys, my front door is open! People are stealing from me and I can't fix it!"
The Obama administration also revealed a few non-legislative initiatives related to cybersecurity and data privacy. Vice President Joe Biden announced earlier this month that the Department of Energy will provide $25 million in grants over five years to support a cybersecurity education group made up of 13 historically black colleges and two national labs.
And on February 13 the White House plans to hold a Cybersecurity Summit at Stanford University with senior White House leaders and other government staffers, technical experts, private-sector CEOs, students and other groups.
On the surface those moves may sound like puff or posturing compared with concrete legislative proposals, but Gareau is much more excited by that piece of Obama's plans.
"It's easy to write those off, but those events are great. Putting a bunch of smart people in a building does help get things done," Gareau said. "I'd much rather see the [White House] help us all work together more naturally, not bring down the legislative hammer."