Will Obama finally change cybersecurity in America?

President Barack Obama formally presents his cybersecurity proposals to the nation, but experts fear it's too little, too late to make a major impact on Americans' lives.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

US President Barack Obama delivers his State of the Union speech before members of Congress in the House chamber of the US Capitol. His cybersecurity proposals face a tough road before they see his desk. Rob Carr, Getty Images

Cybersecurity reforms are now a top priority of President Barack Obama. Whether Congress will care remains an open issue.

During his State of the Union address on Tuesday evening, the president barely tipped his hat to major cybersecurity reform proposals he introduced in speeches last week. They included streamlining the current patchwork approach to data breach disclosure, information sharing between private companies and the government, and increased penalties for violations of the Computer Fraud and Abuse Act.

"If we don't act, we'll leave our nation and our economy vulnerable," Obama said during his speech, which was light on details. "If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."

These proposals come at a time when the American people are arguably more concerned about cybersecurity than ever before. A Gallup poll in October found hacking was the top crime Americans worry about, above murder, assault and terrorism. And there's good reason. This past year was one of the most active on record for hackers who breached computer systems at major retailers, financial institutions and even Hollywood.

The Obama administration responded by proposing new legislation to force cybersecurity changes which have stalled in Congress for years. Yet even after the devastating attacks on Sony Pictures in November, experts are skeptical Obama can convince Congress to support his proposals.

Meanwhile, the computer industry is struggling to keep up with the ever-increasing complexity of attacks. The Identity Theft Resource Center says data breaches were up 27.5 percent in 2014 over the year before, and a mid-2014 Pew Research study found 18 percent of Americans were victims of identity theft, up from 11 percent just six months earlier.

Despite the generally bipartisan nature of cybersecurity issues, passage of any of the three proposals is far from a slam dunk, said Greg Garcia, the assistant secretary for cybersecurity and communications within the Department of Homeland Security under President George W. Bush. "Generally, there's a consensus on this. But conventional wisdom is that Congress doesn't pass anything it doesn't have to," he said. "It'll be interesting to see how far the president pushes this."

Obama's data breach law -- the Personal Data Notification and Protection Act -- would create a single national standard for how companies notify their customers of a data breach. It would replace the uneven state-based approach to data breach laws currently in place, said Betsy Sigman, a Georgetown University data security expert.

"Everyone's for privacy, but I think the data breach law needs to be fleshed out a bit better," she said. "It's not doing a whole lot."

The proposals face skeptics on all sides. While Garcia said the proposals are a step in the right direction, privacy advocates are concerned the laws could encourage the misuse of customer data, simply by making it easier to share the data in the first place.

The president's proposal to toughen Computer Fraud and Abuse Act violations worries civil liberties and security experts. The 1986 law, which has come under fire for enabling aggressive prosecution of alleged violations of the law and was used to prosecute Internet rights activist Aaron Swartz, would become "draconian," said Marc Jaycox, a legislative analyst with the Electronic Frontier Foundation.

"Under the administration's proposal, the Department of Justice could get creative and threaten up to 10 years in prison if you know your friend will use one of your passwords you shared with them -- even if you have no "intent to defraud," important limiting language the Administration wants removed from the statute," Jaycox wrote in a blog post.

The future of Obama's proposals is far from certain, as similar legislation has foundered before a hostile Capitol Hill for years. "Most of the time, Congress isn't going to do anything," Garcia said.