When I wrote last week that we need a national cybersecurity policy, I took a lot of heat on the social media networks from my fellow security industry professionals. Some told me the best thing the government could do was stay out of cybersecurity. Leave cybersecurity to the cybersecurity pros, they said. Others ridiculed me by saying the U.S. needed a policy like Estonia has. Nevertheless, when President Obama gave his State of the Union address this week he announced that he had signed an executive order on cybersecurity.
Well, it seems that I am not alone in thinking that we need a cybersecurity policy and that the government should be taking the lead on this. Tenable Network Security had an independent third-party conduct a survey, which found:
- 60% support government-trained "cyberwarrior" program
- 92% of Americans believe critical infrastructure (e.g., public utilities) are vulnerable to attack
- 93% believe U.S. corporations are vulnerable to state-sponsored cyberattacks
- 94% support President having authority to respond as he would to physical attacks against the country
- 66% believe corporations should be held responsible for cyberattacks against consumers
- 62% say government should be responsible for protecting U.S. businesses from cyberattacks
That last one should make you stand up and take notice. Clearly, people are aware that we have a cybersecurity issue, they want and expect the President and U.S. government to do something about it. Also a clear majority want to hold corporations feet to the fire if they are victims of cyberattacks that affect consumers. That one is surprising. If the corporations come under attack, they are responsible. But I guess one can say they want companies to do more to defend themselves.
I spoke to my friend Ron Gula, the CEO of Tenable Network Security, about this survey and President Obama's recent Executive Order on cybersecurity. Ron thinks government and private industry working together on cybersecurity is a good thing. He also thinks that in many ways the government is way out ahead on the cybersecurity front. Ron said he was surprised just how deep current government rules on information security already apply to private industry. Ron spoke about how healthcare facilities who work with the government, contractors for DoD, any business that does business with the government (and there are a lot of them) are subject to reporting vulnerabilities and complying with FISMA regulations.
But one thing Ron did say is that there is no way any government policy is going to anticipate every new attack vector or everything any business should do to protect themselves. While the government can lead with broad policy and direction, Ron says it is up to each and every business or network owner to understand what their risks are and to take the necessary steps to protect themselves. Their failure to do so should have consequences. That seems to be in line with the survey results as well.
In the meantime, President Obama's order is in effect. Absent an act of Congress, I am not sure how much teeth it has to order the private sector. The main impact of the order is about the sharing of cybersecurity information between government agencies and the private sector. It also talks about promulgating standards. That could be NIST-like recommendations, but again without Congress I don't think they can enforce those standards; they can only suggest them.
But it is a start. Whether we will see more government leadership and action on cybersecurity may depend on the ability of Congress to get out of their own way, stop the gridlock and actually govern and do their job. Time will tell. I hope it doesn't take a cyber-Pearl Harbor for them to get off their butts.
Another venue for cybersecurity policy may be the judicial system. Perhaps the courts will impose duties on private industry by holding them liable for cyber intrusions. I can just hear the outcry against the trial lawyers now. But the fact is the courts can make law or at least legal precedent in the absence of Congress acting. You could see negligence actions brought against companies that don't do enough to protect themselves and, more importantly, their customers.
I am not personally a big fan of that scenario. We have enough people screaming for Tort reform as it is. The country needs a cybersecurity policy. We need leadership to do this. It is time our leaders lead on it.