The biggest issue I have with the CyberSecurity legislation that's being put forth in Congress these days is three-fold:
- It has no teeth. It is just more policy with no accountability or meaningful penalties for non-compliance
- It consists of paper audits -- more of the same useless audits
- The auditors would not be CyberSecurity experts. This last one is insane.
This nation's critical infrastructure (power grid, water supply, oil & gas refineries, etc.) are run and managed by IT systems and software applications. These systems and applications were not built with security in mind and can only be tested and measured by IT security tools in the hands of experts. Beyond our critical infrastructure, we also have thousands of IT systems and software applications managing sensitive data -- military secrets, privacy information, our wired and wireless communication systems, and more. Many of these systems are built and managed by large government system integrators.
Until we have IT-based policy, coupled with IT-based controls, automated monitoring, and real penalties for non-compliance (which means financial) we will continue to fail when it comes to CyberSecurity protection. And we are failing, make no mistake about that. 2011 had more publicly-reported data breaches than any year prior. Having spent 10 years working for various government agencies before moving to the private sector, I can tell you that the only difference between 2011 and prior years is the "public" part of those breaches -- they've been happening for years to government agencies, systems integrators, and the private sector, but most were not reported publicly.
Representative Jim Langevin of Rhode Island introduced a cybersecurity bill to Congress last March. There are four major features I like about this bill:
- It would give DHS the authority to compel private firms deemed part of the critical infrastructure to comply with federal security standards
- The standards are based on the recommendations of cyber experts with first hand knowledge of the reality of the challenges facing each industry
- It carries financial penalties for sub-standard audit results. This includes ALL organizations in-scope, whether they are federal agencies, systems integrators, or private sector. If you're part of what is deemed "critical infrastructure" you must comply
- And, most importantly, imo, the mandated audits include IT security products that will test and monitor the systems and applications for security holes
Unfortunately for Rep. Langevin's bill, lobbying and political pressures have stalled it -- probably because it includes measurable accountability and, for the first time in our history, insightful, practical policy for CyberSecuity defense.