Forbes contributor Richard Stennion doesn’t like the Cybersecurity Act of 2010 very much. We know it around here as S. 773 and have been tracking it for some time. Mr. Stennion and I disagree on some key points. He says that S. 773:
“…contains some pretty drastic measures that are going to be very disruptive, and I believe detrimental.”
I strongly disagree. My position is that legislation implemented ahead of catastrophe with proper debate works much better than crisis management performed during chaotic events.
After several years of research into cybercrime, my analysis is that we can wait to have all of our Intellectual Property looted via malware, wait for a cyber Pearl Harbor or we can proactively mitigate our risks of cybercrime and cyberwarfare. Here’s how that breaks down:
We are up for the challenge, but this doesn’t fall strictly on the shoulders of the government. Those of us in the private sector can do much more to contribute.
When the matter of National Security becomes an issue, regulation often becomes a mandate. Simply:
However these are the results predicted by Mr. Stennion:
“If passed, S.773 will be an unmitigated disaster for the security industry, security professionals, and the security stance of the US government. Remember Sarbanes-Oxley? There was one tiny reference to "security frameworks" in that bill that caused every security team at publicly traded companies to drop everything they were doing and document their compliance with ITIL and COBIT. Some would argue that is a good thing but the end result was not enhanced security postures, but enhanced record keeping.”
Let’s look at two recent industry standards levied by the government and ask ourselves if regulation was needed.
As an aside, Jeff Debrosse has an excellent white paper on the topic of malware and compliance standards.
Mr. Stennion states:
“This bill represents a gargantuan overlay on top of a vibrant industry that is finely tuned to address the rising threats that this bill attempts to address. It will be a windfall for those involved in cyber security certification, and academics who have been left in the dust by advances in cybersecurity being developed by entreprenurial firms. If enacted it will create a guild of government certified security professionals that have the luxury of taking the time to qualify.”
First, not everyone can be a security specialist simply because they executed a script as a ‘script kiddie’ way back when. I’m curious to where in the bill he sees vibrant industry being stifled through the impact of standardization.
Second, standardization of qualifications in any field is something most experts agree on – look at ISO 9000 and many other standardizing methods. Let’s face facts also: this measure of government intervention has historic precedence when a threat to national security as wide as cybersecurity currently brings – examine the War Production Board from World War II.
This type of government control is within the Executive Branch’s reach, and experts differ on whether this type of control is required. I don’t think we’re at this point yet but the threat calls for regulation, and since self-regulation of public sector has failed miserably, as well as consumer-based regulation, there is only one other option.
“And of course, those that vote for this Act will be able to point to the proactive stance they took when the next cyber embarassement occurs. They will not have done anything to prevent the next cyber incident. But they will have covered their…backs.”
My view is that since there is no detailed and better Plan B offered by Mr. Stennion, objections without solutions don’t help this problem which is the third largest concern to the FBI behind terrorism and nuclear proliferation. At certain times we have to trust and empower our decision makers. We voted them in and we can vote them out or move to impeach them if they abuse our trust.
Securing Our eCity Contributing Writer
Author ESET Research, We Live Security