Patching yesterday’s holes?

There is hardly a dearth of groups worrying about cybersecurity. Yet another report on the subject was released this month by yet another group few people had heard of. The report has raised eyebrows by suggesting that buyers should be able to say they want vendors to offer secure systems.

Last month I wrote about the purposely toothless recommendations that the National Cyber Security Partnership (NCSP) is releasing. Since I wrote that column, the NCSP has released an additional report that fits the same mold as the previous two.

This other new report, however, is from the Corporate Information Security Working Group (CISWG), which Rep. Adam Putnam (R-Fla.) established late last year.

The group was established in lieu of introducing legislation, strongly opposed by the business community, that would have forced publicly traded companies to include a report of an information security audit in their annual Securities and Exchange Commission filings. I guess the business community worried that such audits might reveal that corporate indifference to information security issues is far too common. The threat of the truth can make some people nervous.

The CISWG report consists mostly of four lists of recommendations and some supporting information, including a good list of information-security-related references. The recommendations, if fully implemented, might not be quite as toothless as the NCSP recommendations. That might or might not be a good thing.

The Awareness and Education Recommendations include developing materials that would make it clear to home users, and others, including corporate executives in small and large businesses, that information security is good stuff.

The Best Practices Recommendations, among other things, feature establishing an international “umbrella organization to oversee the further development of IS guidance for organizations and users of all sizes and types” with representatives from just about every walk of life. Sounds like a perfect way to ensure that nothing gets accomplished.

The Incentives-Liability/Safe Harbor Recommendations include throwing the insurance industry at the problem by asking it to “modify the degree of availability and the cost of cyber-risk insurance protection based on the degree that the company exercises cyber-risk best practices.” This presumes the insurance industry would be better at picking effective best practices than the high-end auditing firms have been – a presumption I have a hard time supporting. But making it harder for a company that doesn’t even try to address information security problems to pass the risk of its inaction to an insurance company is not a bad idea.

Finally, the Procurement Practices Recommendations include the suggestion that has attracted the most attention from the news media. After recommending that the U.S. government mandate minimum configuration security standards for government-purchased equipment, the working group recommends providing “an exemption from U.S. anti-trust laws for critical infrastructure industry groups that agree on obligatory security specifications for software and hardware they purchase.”

This seems like the approach of the anti-virus industry: Most vendors can only fight yesterday’s problem because that is all they know. These vendors also give a good road map of ignored areas.

Disclaimer: Harvard does not confine history to the history department, but is not constrained by it in other departments. Still, the university has not commented on this report.