(Bloomberg View) — President Barack Obama wants to prodcorporations into addressing their cybersecurity weaknesses and heused his State of the Union speech to do just that.

Obama also placed responsibility for inactionand any damage from future attacks on the shoulders of a deeplydivided, partisan Congress. His proposals are stilllargely shapeless. But if Congress doesn't help develop anaggressive plan and if companies are then hit by waves of seriouscyberattacks — as the most pessimistic security professionalsbelieve will happen this year — Republicans and Democrats alike maycome under fire. 

Online security wouldn't have warranted presidential attentionin the past, but in the wake of the Sony hack, corporate America isgrappling with the destructive power of a serious breach.Cybersecurity experts have warned for months that corporate hackersare using techniques once reserved for nation-state level warfareand they say an attack on the nation's largest businesses coulddisrupt commerce, livelihoods and workers' morale.

In his written speech, Obama said:

No foreign nation, no hacker, should be able to shut downour networks, steal our trade secrets, or invade the privacy ofAmerican families, especially our kids. We are making sure ourgovernment integrates intelligence to combat cyber threats, just aswe have done to combat terrorism. And tonight, I urge this Congressto finally pass the legislation we need to better meet the evolvingthreat of cyber-attacks, combat identity theft, and protect ourchildren's information. If we don't act, we'll leave our nation andour economy vulnerable. If we do, we can continue to protect thetechnologies that have unleashed untold opportunities for peoplearound the globe.

|

No foreign nation, no hacker, should be able to shut downour networks, steal our trade secrets, or invade the privacy ofAmerican families, especially our kids. We are making sure ourgovernment integrates intelligence to combat cyber threats, just aswe have done to combat terrorism. And tonight, I urge this Congressto finally pass the legislation we need to better meet the evolvingthreat of cyber-attacks, combat identity theft, and protect ourchildren's information. If we don't act, we'll leave our nation andour economy vulnerable. If we do, we can continue to protect thetechnologies that have unleashed untold opportunities for peoplearound the globe.

These remarks echo proposals that the president floatedprior to his State of the Union speech. Herecently pressed Congress to provide liability protection forcompanies that share threat information with one another and toforce corporations to notify customers within 30 days ofdiscoveringany breachinvolving data theft.

Obama's proposed legislative package also allows thegovernment to prosecute the sale of "botnets" (networks ofcomputers used to send viruses and overwhelm other systems withspam). It expands legal oversight over spyware that's used bystalkers and identity thieves, and prohibits companies from usingstudent data for anything other thaneducation.

The Obama ideas with the most potential to bolster corporatesecurity are his threat-sharing measure and the corporatedisclosure rule. 

As I've written before, collaboration is considered to be one ofthe best defenses against cybercrime, but a recentPricewaterhouseCoopers survey found that only 25% of businessescurrently share information about attacks. Obama wants to encouragecompanies to share threat data with thegovernment in order to get liabilityprotection. 

"We need specific mandates that establish controls on the typeof data shared to ensure it both accuratelyreflects the attack while simultaneously protecting citizens'rights under the Fourth Amendment," says Joe Eandi, the chiefexecutive of the cybersecurity startup Vorstack. 

The disclosure rule isn't useful because it increasessecurity per se, but because it gives companies an incentive topre-emptively beef up their defenses.

As Sumit Agarwal, a former Defense Department advisor andco-founder of a startup, Shape Security, put it: "Companies don'tlike to be embarrassed and being forced to notify customers everytime they're breached will hopefully cause them to take[preventive] steps." 

Corporations like Sony have proven that they're reluctant tofollow best security practices until disaster strikes, which is whythe president's proposals are important even if they're stillnascent. 

Industry experts say that past attempts at government regulationhave prodded the private sector to self-regulate and lessened theneed for government intervention. Hopefully the trend will continueand businesses will raise their game even if Congress doesn'tact. 

In the end, of course, it's corporate America's responsibilityto take security seriously and protect theirdata – andours. That task shouldn't be dumped off on the government. At best,legislation might motivate and shame businesses into doing theright thing. Or maybe it will require another massive cyber-attackon a corporation to move things along.