- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
Network World - The cybersecurity bill that went down Thursday to legislative defeat shows the deep schism in Congress that had Democrats siding with traditional national-security defense hawks, and Senate Republicans, who toppled the bill, largely siding with businesses that didn't want government foisting new regulations on them.
The White House today was expressing "profound disappointment" about Republican "obstructionists," claiming that "special interests" were "seeking to avoid accountability" and that the legislation would "better protect our nation from potentially catastrophic cyberattacks." One main point of debate in this now-stalled legislation is whether any new cybersecurity guidelines should be mandatory or voluntary for companies such as electric-power suppliers to follow.
The original cybersecurity bill had made proposed standards mandatory, but even after it was watered down to be more optional, it still didn't win approval from skeptical Republicans who don't want private industry regulated this way. This anti-cybersecurity regulation stance draws fierce criticism from Stewart Baker, an attorney who served at Department of Homeland Security in the George W. Bush administration and the National Security Agency, and whose national-security defense hawk credentials shouldn't be in doubt.
"I would support mandatory requirements because I feel this is a real crisis," said Baker, partner in the Washington, D.C. law office of Steptoe & Johnson.
Long connected in national-intelligence circles, Baker says he's speaking about his own personal point of view when he discusses the now-stalled cybersecurity bill.
Having voluntary standards for security simply isn't sufficient, Baker warns. But he acknowledges any type of new standards related to network security and audits "could be expensive." The North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection guidelines in place today simply aren't enough, he says. Baker has been an advocate of in-depth government-based auditing over networks providing critical electric supply, noting that a number of countries in Asia, including China, follow this practice.
Baker says the need for this kind of government oversight for vital infrastructure may eventually be "learned the hard way" when cyberattacks one day take down the grid or disrupt other critical resources the public takes for granted. But instead of lengthy debate and compromise over cybersecurity legislation, the ensuing panic in a crisis might result in extreme legislation that becomes law.
Industrial control systems (ICS) increasingly involve components that include Windows-based and other network products familiar to enterprise IT shops, and updating ICS-based networks is difficult, companies have admitted, as they did at the recent Industrial Control Systems Working Group meeting organized by DHS in May in Savannah, Ga. And of course, the covert U.S. and Israeli attack by means of the Stuxnet weaponized malware two years ago against the Siemens control systems in an Iranian plant suspected of developing a nuclear weapon has become a clear sign that cyberattacks are real.