President makes unprecedented cybersecurity pitch

President Obama made an historic push for cybersecurity action during his State of the Union address Tuesday night.

“If we don’t act, we’ll leave our nation and our economy vulnerable,” Obama said. “If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

Although the president previously called for cybersecurity legislation during his annual address in 2013, Tuesday night’s plea easily surpassed any previous cyber mention in specificity, breadth and urgency.

{mosads}”No doubt about it,” Rep. Elijah Cummings (D-Md.), ranking member of the House Oversight and Government Reform Committee, told The Hill in an interview. “He made the case for a bipartisan, strong effort to address cybersecurity.”

It was the third issue Obama mentioned while discussing national security during the speech. The president also hit nearly every aspect of the new White House cyber agenda, which was rolled out last week.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids,” Obama said to a bipartisan standing ovation.

The administration’s legislative cyber proposals include measures intended to facilitate cyber threat information-sharing between the public and private sectors; to protect student data; to raise the punishments for cyber crime; and to create a federal breach notification standard and nationwide cyber defense standards.

The agenda was unveiled strategically to take advantage of the bump in cybersecurity awareness following the destructive cyberattack on Sony Pictures. Hackers allegedly backed by North Korea wiped the film studio’s computers, released internal documents and emails and made violent threats that almost caused the cancellation of a big-budget comedy release.

The incident led to a full-scale government investigation and the unprecedented blaming of a foreign regime for a destructive cyberattack on U.S. soil.

“We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism,” Obama said.

The security industry and privacy advocates alike appreciated the president using one of the country’s biggest bully pulpits to promote national awareness of cybersecurity, even if they quibble with the administration’s policy specifics.

Roughly 33 million viewers watch the State of the Union each year, although viewership has been declining.

“It’s every American’s job to get involved” on cybersecurity, said Tony Cole, the global government chief technical officer at cybersecurity firm FireEye.

For lawmakers who have spent years struggling to convince colleagues of the colossal dangers of weak cybersecurity, the president’s remarks were quite welcome, if not a bit late.

“I welcome him to the conversation,” said Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee. “Confronting the cyber threat has been a priority of mine for the past 10 years.”

Attention now turns to those same lawmakers, as the White House looks for allies to introduce its legislative offerings.

“Tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information,” Obama said.

“That should be a bipartisan effort,” he added, going off script briefly.

Sen. Bill Nelson (D-Fla.), the ranking member on the Senate Commerce Committee, has already said he will introduce a data breach notification bill that closely resembles the White House proposal.

It would require companies to notify consumers within 30 days that their information had been breached. Companies would also have to notify the government of certain breaches and adhere to cybersecurity standards set by the Federal Trade Commission.

Rep. Jim Langevin (D-R.I.), co-chair of the Congressional Cybersecurity Caucus, said after the speech that he will soon introduce a House version of the president’s data breach proposal.

“I am particularly excited to see cybersecurity come center stage in the State of the Union and in the public dialogue,” he added.

Obama on Tuesday only mentioned the initiative in passing, with his reference to legislation to combat “identity theft.”

The most contentious issue will be Obama’s proposal to enhance cybersecurity information-sharing between the government and private sector. The offering would provide limited liability protections for companies sharing cyber threat indicators with the Department of Homeland Security.

The measure has been at the top of industry group’s cyber wish list for years. But cybersecurity firms caution that a rushed, non-specific bill could prove ineffective.  

“How are you going to implement limited liability?” Cole wondered. “What does that mean?”

Privacy advocates worry those same vagueries could give the government another way to collect personal information on U.S. citizens. They’ve pushed for National Security Agency (NSA) reform to come before any cyber information sharing bill.

Obama insisted he would not let NSA reform fall to the wayside.

“While some have moved on from the debates over our surveillance programs, I haven’t,” he said. “As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse.”

Privacy advocates remained wary after hearing Obama’s remarks.

“It’s heartening that President Obama’s address focused on Americans’ privacy, but the only way to fulfill that promise is to pass surveillance reform before taking up cyber [info sharing] legislation,” said Robyn Greene, policy counsel for the Open Technology Institute.

The congressional calculus on the cyber threat sharing issue is also quite complex.

Different committees have pushed their own sharing proposals, creating intra-party squabbles and jurisdictional turf wars. Key Democrats on cyber issues have also broken with the White House on their own cyber threat sharing bills.

Rep. Dutch Ruppersberger (D-Md.) recently reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA), which would enable sharing between the private sector and the NSA, not the DHS.

Senate Intelligence Committee ranking member Dianne Feinstein (D-Calif.) was also a big proponent of a Senate version of CISPA last Congress.

The two recently installed chairmen on the Senate Intelligence Committee and Senate Homeland Security and Governmental Affairs Committee will play a big role in setting the legislative agenda.

Both Intelligence Chairman Richard Burr (R-N.C.) and Homeland Security Chairman Ron Johnson (R-Wis.) have indicated they’re willing to work with the White House on a joint cyber proposal.

In the Republican response to Obama’s speech, Sen. Joni Ernst (R-Iowa) made only passing reference to the issue.

“We’ll advance solutions to prevent the kind of cyberattacks we’ve seen recently,” she said.

The White House has insisted it will barter with a wide range of lawmakers in both parties to achieve its cyber goals. Obama reiterated Tuesday that the administration can’t go it alone on cyber.

“We’re looking beyond the issues that have consumed us in the past to shape the coming century,” he said.

— Updated 10:57 p.m.