When I wrote last week that we need a national cybersecurity policy, I took a lot of heat on the social media networks from my fellow security industry professionals. Some told me the best thing the government could do was stay out of cybersecurity. Leave cybersecurity to the cybersecurity pros, they said. Others ridiculed me by saying the U.S. needed a policy like Estonia has. Nevertheless, when President Obama gave his State of the Union address this week he announced that he had signed an executive order on cybersecurity.
Well, it seems that I am not alone in thinking that we need a cybersecurity policy and that the government should be taking the lead on this. Tenable Network Security had an independent third-party conduct a survey, which found:
That last one should make you stand up and take notice. Clearly, people are aware that we have a cybersecurity issue, they want and expect the President and U.S. government to do something about it. Also a clear majority want to hold corporations feet to the fire if they are victims of cyberattacks that affect consumers. That one is surprising. If the corporations come under attack, they are responsible. But I guess one can say they want companies to do more to defend themselves.
I spoke to my friend Ron Gula, the CEO of Tenable Network Security, about this survey and President Obama's recent Executive Order on cybersecurity. Ron thinks government and private industry working together on cybersecurity is a good thing. He also thinks that in many ways the government is way out ahead on the cybersecurity front. Ron said he was surprised just how deep current government rules on information security already apply to private industry. Ron spoke about how healthcare facilities who work with the government, contractors for DoD, any business that does business with the government (and there are a lot of them) are subject to reporting vulnerabilities and complying with FISMA regulations.
But one thing Ron did say is that there is no way any government policy is going to anticipate every new attack vector or everything any business should do to protect themselves. While the government can lead with broad policy and direction, Ron says it is up to each and every business or network owner to understand what their risks are and to take the necessary steps to protect themselves. Their failure to do so should have consequences. That seems to be in line with the survey results as well.
In the meantime, President Obama's order is in effect. Absent an act of Congress, I am not sure how much teeth it has to order the private sector. The main impact of the order is about the sharing of cybersecurity information between government agencies and the private sector. It also talks about promulgating standards. That could be NIST-like recommendations, but again without Congress I don't think they can enforce those standards; they can only suggest them.
But it is a start. Whether we will see more government leadership and action on cybersecurity may depend on the ability of Congress to get out of their own way, stop the gridlock and actually govern and do their job. Time will tell. I hope it doesn't take a cyber-Pearl Harbor for them to get off their butts.
Another venue for cybersecurity policy may be the judicial system. Perhaps the courts will impose duties on private industry by holding them liable for cyber intrusions. I can just hear the outcry against the trial lawyers now. But the fact is the courts can make law or at least legal precedent in the absence of Congress acting. You could see negligence actions brought against companies that don't do enough to protect themselves and, more importantly, their customers.
I am not personally a big fan of that scenario. We have enough people screaming for Tort reform as it is. The country needs a cybersecurity policy. We need leadership to do this. It is time our leaders lead on it.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.