Debate Heating Up: Cybersecurity Act of 2010 S. 773

Forbes contributor Richard Stennion doesn’t like the Cybersecurity Act of 2010 very much. We know it around here as S. 773 and have been tracking it for some time. Mr. Stennion and I disagree on some key points. He says that S. 773:

“…contains some pretty drastic measures that are going to be very disruptive, and I believe detrimental.”

I strongly disagree. My position is that legislation implemented ahead of catastrophe with proper debate works much better than crisis management performed during chaotic events.

My position: Lead, Follow, or Move Outta the Way!

After several years of research into cybercrime, my analysis is that we can wait to have all of our Intellectual Property looted via malware, wait for a cyber Pearl Harbor or we can proactively mitigate our risks of cybercrime and cyberwarfare.  Here’s how that breaks down:

  1. Inaction on this matter will not accomplish this goal of protecting the nation. The status quo adopted today will not assist the economy in surviving the online and widespread looting of this nation’s resources through the Internet. Cybercriminals are now well organized and industrialized.
  2. Our nation’s small business accounts are at risk every day by malware which is harder and harder to prevent. Small business has long been established as the heart and soul of this nation’s economy. Small business accounts looted by credential theft through malware and phishing are not considered to be mandatorily reimbursable by the banks.
  3. Our nation’s workers do not have the cybersecurity education they need to do their part in hardening the target and becoming a smaller risk factor to their companies. SOeC shows that targeted cyber-education efforts do work to raise awareness. Spreading successful educational methods by targeting the SMB is one of the key objectives of S. 773.
  4. The cybercriminals are faster and have shelter from litigation and arrest. With President Obama citing an estimated $1 trillion in global intellectual property lost annually, we’ve got to do something or every bit of Intellectual Property our innovative little elves in keebler trees can think up will be offshored and in production before the patent ink dries on the application.

We are up for the challenge, but this doesn’t fall strictly on the shoulders of the government. Those of us in the private sector can do much more to contribute.

Related Video: Feel free to watch the front lines of the FBI and US Attorneys cybercrime units talk about the positive impact of public private cooperation. 

When the matter of National Security becomes an issue, regulation often becomes a mandate. Simply:

  1. There are three kinds of regulation of industry – government-mandated, industry self-regulation (like the MPAA for movie ratings), and consumer driven standards (voting with your dollar).
  2. It is the responsibility of the Executive Branch and Legislative Branch as set out within the Constitution to protect the nation from all enemies foreign and domestic.
  3. The gentle method is through Congress voting for the proper powers to be given to the Executive Branch. Otherwise, the E-branch can simply clamp down in an emergency – which they are already entitled to do to any under the Constitution and US Code and fight it out in court afterwards.

The opposing viewpoint:

However these are the results predicted by Mr. Stennion:

“If passed, S.773 will be an unmitigated disaster for the security industry, security professionals, and the security stance of the US government.  Remember Sarbanes-Oxley? There was one tiny reference to "security frameworks" in that bill that caused every security team at publicly traded companies to drop everything they were doing and document their compliance with ITIL and COBIT.  Some would argue that is a good thing but the end result was not enhanced security postures, but enhanced record keeping.”

Disaster? Not entirely true:

Let’s look at two recent industry standards levied by the government and ask ourselves if regulation was needed.

  1. SOX is the result of issues like Enron, WorldCom, and many others. No longer were businesses able to ‘self-regulate’ and work around the rules. By requiring mandatory record keeping of compliance an audit trail and additional layer of responsibility is created. In other words, it’s not impossible for fraud, but it certainly is a whole heck of a lot harder!
  2. PCI-DSS is another recent standard enacted. This accusation can’t logically pick and choose out of what acts were enacted without admitting that PCI-DSS requirements are critical to the online banking industry’s bottom line, that is, since consumer bank account fraud (PIN Fraud, Carding, etc.) is considered reimbursable and will cost a business something rather than just costing Joe Sixpack and Jane Q. Public their paychecks.
  3. Facts are facts – if your business has a malware-assisted data breach like TJX did and your security software was never updated, you’re rightfully on the hook based on PCI-DSS standards. I don’t see the fact that PCI-DSS mandates responsibility as a bad thing even though I’m taking my own precautions and carrying around a bit more cash than usual and never use my debit card.

As an aside, Jeff Debrosse has an excellent white paper on the topic of malware and compliance standards.

Cybersecurity termed a ‘vibrant industry’ soon to be stifled?

Mr. Stennion states:

“This bill represents a gargantuan overlay on top of a vibrant industry that is finely tuned to address the rising threats that this bill attempts to address. It will be a windfall for those involved in cyber security certification, and academics who have been left in the dust by advances in cybersecurity being developed by entreprenurial firms. If enacted it will create a guild of government certified security professionals that have the luxury of taking the time to qualify.”

My opinion: Nope

First, not everyone can be a security specialist simply because they executed a script as a ‘script kiddie’ way back when. I’m curious to where in the bill he sees vibrant industry being stifled through the impact of standardization.

Second, standardization of qualifications in any field is something most experts agree on – look at ISO 9000 and many other standardizing methods. Let’s face facts also: this measure of government intervention has historic precedence when a threat to national security as wide as cybersecurity currently brings – examine the War Production Board from World War II

    • “…established (Jan., 1942) by executive order to direct war production and the procurement of materials in World War II. The chairman (Donald M. Nelson, 1942-44; Julius A. Krug, 1944-45) was granted sweeping powers over the nation's economic life. The WPB converted and expanded the peacetime economy to maximum war production; controls included assignment of priorities to deliveries of scarce materials and prohibition of nonessential industrial activities. During its three-year existence the WPB supervised the production of $185 billion worth of weapons and supplies.”

    This type of government control is within the Executive Branch’s reach, and experts differ on whether this type of control is required. I don’t think we’re at this point yet but the threat calls for regulation, and since self-regulation of public sector has failed miserably, as well as consumer-based regulation, there is only one other option.

    Mr Stennion states:

    “And of course, those that vote for this Act will be able to point to the proactive stance they took when the next cyber embarassement occurs. They will not have done anything to prevent the next cyber incident. But they will have covered their…backs.”

    My view is that since there is no detailed and better Plan B offered by Mr. Stennion, objections without solutions don’t help this problem which is the third largest concern to the FBI behind terrorism and nuclear proliferation. At certain times we have to trust and empower our decision makers. We voted them in and we can vote them out or move to impeach them if they abuse our trust.

    Securing Our eCity Contributing Writer

    Author ESET Research, ESET

    • Rob Lewis

      The image of the Keystone Cybersecurity Cops comes to mind here. Of course self-regulation has failed since the public sector had no good choices and were left with a broken security model and flawed solutions, such as AV. Legislation to regulate will only lead to more layers of what is failing now and more complexity, and ultimately, a hard fall.

    Follow Us

    Automatically receive new posts via email:

    Delivered by FeedBurner

    1 article related to:
    Hot Topic
    ESET Virus Radar

    Archives

    Select month
    Copyright © 2014 ESET, All Rights Reserved.