Reports are that the latest round of cyber-attacks have been aimed at large media outlets like the New York Times, Wall Street Journal and Washington Post. Before media, large banks and other financial institutions were being targeted. Before the financial industry, it was something else. All the while, the U.S. government is under constant bombardment from potential cyber threats probing for weaknesses.
Whether you believe that this most recent round of attacks or any of the proceeding waves are from China, or whether you believe that, if they are from China, the Chinese government was behind them, one thing should be clear: these attacks are not going away. Last year, we saw the rise of hacktivism. Now, if current theories are correct, we are seeing cyberattacks as revenge and retribution. Media outlets that were critical of Chinese government activities are being targeted.
Cyberattacks for political and nation-state strategic gain are becoming the norm. It is time that we as a country recognize this and do something about it. Having been in information security for over 10 years, I have come to a realization. Perhaps you can call it Shimel's Security Catch-22 Theorem. No matter what, a government or other governing body enacting cybersecurity rules or laws will be flawed; cybersecurity is best left to cybersecurity professionals. On the other hand, though, without some rules or laws the cybersecurity professionals will never get the chance to do so. This dichotomy means that we need some sort of cybersecurity rule or law to be enforced, even if it is flawed¸ to give the security industry a seat at the table and do what needs to be done.
Previous attempts by our government to enact cyber security legislation have been foiled by lobbyists and special interest groups. The fact is many in the security industry have opposed cybersecurity legislation because we know it will be far from perfect and could harm as much as help. But without it, we are never going to have the opportunity to do something to protect our country until after it is too late.
There are those predicting a cyber Pearl Harbor. They know that it is only a matter of time until something beyond annoyance or moderate financial loss takes place that will finally awaken the country to the fact that we need to get serious about security. I am sure that when that happens there will be some who, like the people who say FDR knew about the Japanese attack beforehand, will claim we let this happen because we wanted it to force our hand.
But why do we have to wait until after the attack? The writing on the wall is plain enough for us to see now. I suppose with the dysfunctional government we seem to currently have, the difficulty of getting a cybersecurity policy or law in place should not surprise us. But there comes a time when you really do have to act for the good of the country.
I know there are plenty of my colleagues in the security industry who differ with my opinion. They want the government to stay out of legislating cybersecurity. But when matters rise to the level of a national interest, that is exactly the circumstance our government needs to act. We have reached that threshold. The government needs to act. In the long run, it will enable the security industry to do what needs to be done. It doesn't have to be perfect, it just needs to get the ball rolling.
Some of my friends say what we need is to put both civil and criminal negligence rules in place to hold those who are negligent in implementing cybersecurity liable. But isn't that a law in and of itself? In order to prove negligence, we need to prove a deviation from the reasonable. I don't see how that is different from the government passing a cybersecurity law.
There is another line of reasoning that no matter what laws we pass, no matter what the security industry does, we can never truly safeguard our critical infrastructure. Advanced persistent threats (APT) and similar attack methods render all of our defenses inadequate. Perhaps that is true. But that is not a reason not to try. If at first we fail, we will try again. If that fails we try yet again. Not succeeding on the first try or even not succeeding at all is never a reason to stop trying to do what must be done.
So while there are people who say that the government should stay out of cybersecurity regulation, I think now is the time that the government needs to get involved. Our critical cyber infrastructure extends beyond the government's network. We need to make it clear what a reasonable organization must do to protect themselves and what the consequences are if they do not.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.