The two distinctly different Senate Cyber-Security bills currently making their way through the US Congress respond to the ever increasing cyber-assaults and cyber-threats to the US and particularly the CIKR sectors. It is clear that action must be taken to further harden our IT systems from these asymmetrical and often successful attacks.
The first bill would identify and establish additional cyber-security standards and regulations that the private sector would have to follow and report on to the Department of Homeland Security. In turn, DHS would act as a facilitator in exchanging information on a need-to-know basis with the private sector.
The second bill generates no additional standards or regulations for the private sector to follow and report on, nor does it place additional responsibilities upon the already overburdened DHS. This bill focuses primarily on information sharing between the public and private sectors to ensure protection and defenses against cyber-assaults and cyber-threats. By focusing on information sharing and not additional regulations, the private sector can save time, effort and unnecessary spending on additional bodies needed to comply with reporting to the government how they are complying with the new regulations. Furthermore, they can use this saved spending on hardening their cyber networks, both physically and electronically.
Some commentators say that this second bill doesn’t go far enough and imply that businesses would have no incentive to further invest in cyber-security. For any business – and especially those that control our CIKR sectors – that doesn’t do everything possible to protect their networks is playing with fire. There have been more than enough examples of cyber-attacks and assaults against not only our government IT systems and our CIKR IT systems but also regular day-to-day business IT systems that it would be a foolish for a CEO to think, “It can’t happen here.”
In our experience of protestor management, we hear this quote quite often from law enforcement and business prior to major protest situations; after the fact, law enforcement then complain, “If we had only known.” We also hear this same quote from businesses that find themselves on the receiving end of extremist group tactics, both physical and electronic. There are preventive solutions and governments, and businesses must embrace those solutions willingly; the levels of negative publicity of the threat seem to be making that happen.
In addition to the current federal and state regulations and rules for IT security that corporations must follow, we also have the Information Technology Sector-Specific Plan as an Annex to the National Infrastructure Protection Plan (NIPP). In addition, we have numerous agencies and/or organizations for each CIKR sector, such as the FERC and NERC, ISACs for each CIKR sector, the US Secret Service Electronic Crimes Task Force, the FBI InfraGard Group, and several other agencies and entities that monitor, share information and take action against cyber-assaults and threats. Almost all CIKR sectors and businesses belong to at least one of these organizations and readily share information across the government/private spectrum.
The agencies, organizations and private entities that made up the NIPP-IT working group agreed upon four basic goals that both the public and private sector should strive for to help prevent assaults and/or achieve a sustained reduction in the impact of incidents to maintain business and government resiliency. The goals have been basically identified as: Identify, asses, and manage risks; Improve situational awareness; Enhance the capabilities of public and private sector partners to respond to and recover from threats and disruptions; and Drive continuous improvement in IT risk management and resiliency.
Cyber security is a tradeoff among expense, effort, inconvenience, privacy, security, and target hardening. Strong encryption protects the Internet from attack, but it also protects the criminals, insider threats, terrorists, rogue states, and our potential enemies. Internal and external surveillance infringes on privacy, but it is also a weapon to protect us from criminals, terrorists and foreign governments wishing us harm through IT exploitation. High assurance systems may be secure, but users are inconvenienced and productivity suffers.
Remember cyber-security is a balancing act based on the risk tolerance of corporations and agencies. We have enough regulations already in place. What we need is more information sharing on a two-way street.
