Why all that hacking news might not be so bad

The list of companies that have reported being hacked just keeps growing, with Microsoft and Zendesk making headlines most recently. Although it’s caused plenty of anxiety for IT people and everyday users alike, there might just be an upside: The attacks have demonstrated the need for the kinds of information sharing the federal government wants to do to improve cybersecurity.

Following the demise of one proposal, the Cyber Intelligence Sharing and Protection Act (CISPA), the Obama administration has taken new steps with an executive order and a policy strategy. The executive order draws a roadmap for sharing more of its information with the private sector, and the strategy shows the intent to do more on diplomatic and intelligence fronts.

The Microsoft and Zendesk hacks follow others in recent weeks at Apple, Facebook, the New York Times, the Wall Street Journal and the Washington Post. Twitter said people had attempted to hack the site. And the security company Mandiant released a report providing details on a Shanghai-based division of the People’s Liberation Army of China that has stolen “hundreds of terabytes of data from at least 141 organizations,” almost all of which have headquarters in countries where English is the native language. Hackers even found a way to build a lure for a spear-phishing attack out of one version of the report.

President Barack Obama, in his State of the Union address last week, acknowledged that American companies have been hacked and said the country must not “look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” Obama’s executive order on cybersecurity, released on the same day as the president gave the speech, directs the government to release more, and more timely, information on cybersecurity threats. It calls for a framework for reducing “cyber risks” to critical infrastructure in the United States, and the framework will have to help owners and operators of that infrastructure manage the risk. In doing so, the government cannot pick one product or service as a cure-all; it claims to value a competitive marketplace. The order also mandates that owners or operators of critical infrastructure that could cause catastrophes if hacked will be confidentially contacted and be given a way to submit information to the federal government.

A week after the executive order, the Obama administration released a policy paper laying out steps for advancing cybersecurity. It says businesses should share best practices, and it states that the FBI and the State Department will do more to try to stop hacks of trade secrets. Elsewhere, it promises that several other federal agencies will continue to do what they have been doing toward that end.

Some people have argued that the executive order doesn’t do enough to improve cybersecurity. Then again, others like it much better than CISPA.

Regardless of what people think about it, the federal government’s efforts to respond to the hacks could prompt more companies to protect their own assets. It takes advantage of the good parts of CISPA but not the bad, which my colleague Derrick Harris has previously identified. And with news of more and more attacks coming to the fore, more companies could be inclined to try sharing information with the federal government for the purpose of the greater good. How bad could that be?

Oh, by the way, as a side effect of all of these attacks and the new federal policies, don’t be surprised to see more enterprises trying out security products that focus on infrastructure, such as Mandiant and Cylance, which I wrote about earlier this month. Look for more stealth-mode security startups jumping out of the shadows, too.

Feature image courtesy of Shutterstock user Tatiana Popova.