President Barack Obama is expected to push for new cybersecurity legislation during his State of the Union address on Tuesday night, the first time a U.S. president has made this emerging threat a priority.
Obama will advocate for policy that encourages the private sector and government to share information on threats, expands the ability of law enforcement to prosecute cybercrime and condenses sometimes conflicting state laws into one federal statute, among other changes outlined by the White House last week.
Brutal hacks such as the breach of Sony Pictures Entertainment in November, and last week's attack on the United States Central Command's Twitter feed, have sent cybersecurity vaulting up the list of priorities at top levels of government.
Devastating breaches of major companies also continue to sap activity from the U.S. economy, often leaving confidential consumer data vulnerable in the process. While Obama's proposal reflects a wider emphasis on bolstering defenses against ever-increasing digital threats, the policy, if passed, may not address the fundamental threat to businesses and consumers, experts told CNBC.
"Everybody is in agreement that the private sector should beef up defenses, but Republicans would want to make it more of a recommendation than a requirement," said Darrell West, vice president and director of government studies at the Brookings Institute.
The desire to build resistance to cyberthreats stems partly from the financial and logistical hardships that companies face after an attack. While estimating damages can prove difficult because many attacks go unreported, cybercrime costs the global economy more than $400 billion annually, according to a July report from the Center for Strategic and International Studies. Target, for instance, reported a $148 million loss related to a credit and debit card breach in late 2013.
Obama's policy would not only attempt to cut off disruptions to businesses but also to limit damage to consumers after an attack takes place. Under the proposal, the government would provide "liability protection" to companies that share information about their cyberthreats with the Department of Homeland Security's National Cybersecurity and Communications Integration Center.
Law enforcement would also receive greater power to punish cybercriminals. In particular, Obama would attempt to give the government power to crack down more easily by criminalizing the sale of stolen personal financial information overseas and updating existing statutes to extend to cybercrimes.
"[Lawmakers] have to understand that digitalization changes everything," said Larry Clinton, president and CEO of the Internet Security Alliance, a trade association that advocates for standard practices in cybersecurity.
Companies that operate in numerous states have also been hurt by discrepancies in laws that determine how quickly they need to report the depth of an attack, including notifying customers what exactly was compromised, Brookings' West said. Obama's policy could also implement a federally standardized deadline—potentially 30 days, according to West—to let customers know what information has been breached. It would condense overlapping laws in place in at least 46 states, the White House said.
"Unless people know in a timely manner that their accounts have been compromised, it is impossible for them to ameliorate these actions. Quick notification would help companies avoid lawsuits and would reduce penalties that could arise from security breaches," West said.
Though it could help consumers and companies alleviate concerns after a cyberattack, Obama's proposal may not address the fundamental issues effectively. The policy would be contingent on how exactly the government would structure incentives for private sector information sharing, ISA's Clinton said.
While some aspects of Obama's proposal are "smart," the regulations, overall, could hamper the private sector's efforts to fight cybercrime and protect customers, said Larry Ponemon, chairman and founder of the Ponemon Institute, which researches privacy and data protection policy.
Ponemon expressed concerns over the proposal's emphasis on sharing the nature of threats, which he equated to "[showing] your hand to the bad guy." He also questioned if the requirements would lead to widespread sharing of personal data compromised in cyberattacks.
He stressed the need for lawmakers to offer incentives for cybersecurity standards rather than mandate them.
"What we really need to do as a country is have ways of getting government and private enterprise to work together not by edict," Ponemon said.
How feasible is the U.S. government approving comprehensive cybersecurity legislation? Experts believe enough support exists both in the White House and the Republican-controlled Congress to implement a law eventually, though it may take shape differently than Obama's current proposal.
Contentious issues could include the level of "liability protection" the private sector receives from the government, which government agency controls information collection and enforcement and how quickly companies need to report the extent of attacks.
Another destructive attack on a major American company or government agency would spur legislation more rapidly, Ponemon said.
"Enough of these events will force the government to move very quickly," Ponemon said.