Just as the news broke that Anthem Inc., the second-largest health insurance company in the United States, suffered a massive data breach – some 80 million people – Michael Daniel, Special Assistant to the President and cybersecurity coordinator in the Executive Office of the President, had a far-ranging online conversation on cybersecurity issues with Bloomberg Government.

“It’s obviously quite concerning that we would have another intrusion of this size following 2013, which some people have called the Year of the Hack,” Daniel said.

This breach, along with the other highly publicized losses of the past year or so – Target, Home Depot, and Sony, to name just a few – highlight the need for federal legislation to address cybersecurity, he said, but no one should be surprised it is taking so long.

“Look, for instance, at the evolution of Goldwater-Nichols,” the law that reorganized the Defense Department, he said. That law came about after the “failed hostage rescue attempt in 1980, [but] the legislation passed in 1986, and it was arguably less complex than cybersecurity. So the fact that it’s taking so long … shouldn’t be surprising.”

The need for federal action, from congressional legislation to Executive Branch directives, is growing rapidly, Daniel said.

“The threat landscape is getting worse, broader, more sophisticated, more dangerous. We keep connecting more stuff to the Internet, [now we’re] talking about the Internet of Things, there’s more devices connected to the Internet than people on the planet,” he said. And the attacks are getting “more sophisticated – not just the technology, but [their] organizational capacity.”

Equally alarming is that attackers “are willing to cross lines they didn’t before,” he added.

Even though the threat landscape is getting worse, the obstacles to cybersecurity legislation are formidable.

For instance, there is the challenge of information sharing – whether between companies and federal agencies, federal and state agencies, law enforcement and intelligence, and so on.

Daniel said the government does not want personally identifiable information (PII) to be shared, but does want to know IP addresses, which malware is appearing, and the signatures of attacks, to name a few.

Another problem with information sharing is the issue of corporate liability.

“In spite of all the hacks, companies are concerned about reputation, branding issues, lawsuits,” Daniel said. While the companies might like the broadest possible protection from liability, the Administration is looking for targeted protections.

“You have to give companies enough assurances that they’re willing to share more” information, he said. “At the same time, we can’t introduce [protections] where we’re encouraging underinvestment in cybersecurity, because that would be the totally wrong outcome.”

Another obstacle to cybersecurity legislation is the fact that there are many different kinds of attackers, including nation-states. Daniel said that cyberspace is such a new environment, it will take time to come up with a shared understanding of acceptable practices.

“Go back to the Cold War, everybody knew the Soviet Union was spying on the United States, and we were spying on the Soviet Union … [but] we weren’t bombing,” he said. “If we caught their spies we’d kick them out of the country” and vice versa, “but [we] weren’t blowing up each other’s infrastructure.

“Nation-states are going to use cyberspace to pursue their foreign policy goals; that shouldn’t surprise anyone,” he said. “But it does mean we should come up with rules of the road to limit escalatory behavior” and allow commerce. This is why getting cybersecurity policy and legislation is so important, because it’s fundamental to both domestic and foreign policy, he said.

It has been relatively uncommon for the government to attribute cyber attacks to particular nation-states, Daniel said, though it doesn’t mean agencies aren’t pursuing perpetrators aggressively.

The Sony attack was different because of three factors, Daniel said.

“One was its destructive nature – not just theft, but a destructive attack that did significant damage to Sony. It was a coercive attack … and, while not critical infrastructure, it was an attack on one of our core values, freedom of speech,” he said. “We didn’t want to hand out a playbook on how to suppress speech in the United States.”

Daniel said one important aspect of cybersecurity is trying to understand the underlying business model driving attacks. In the Anthem attack, for instance, what is valuable about the information that was stolen, and how can it be used?

“With high-impact records like that, we have to do a much better job of encrypting data at rest, so even if it’s taken it can’t be used,” he said.