More Cybersecurity Experts Blast US IT Security Legislation
In the second of a series of posts on the subject of current U.S. cybersecurity legislation, CIO.com blogger Constantine von Hoffman speaks with experts from Appthority, Axway, Kindsight Security Labs, Rapid7, Raytheon Trusted Computer Solutions and Voltage Security for their takes on the laws.
Because the elected amateurs already weighed in on the topic it seemed like a good idea to get some thoughts from the experts. So I asked a bunch of security execs about cyber security laws. For example, do we need a new policy? Will it do any good? What should it include? (Go here, here, here and/or here for more information about the cybersecurity laws proposed in the latest Congressional session.)
“We need to see legislation that outlines, goes over the risks and provides guidance on how to deal with emerging threats around mobile devices. We’ve seen businesses and federal organizations struggling to deal with BYOD and emerging threats that come from employee devices into the workplace. Without legislation or standards to push developers, they have little incentive to do so.“
John Thielens, CSO, Axway:
“Security legislation is always a hotly debated topic. Part of the challenge for the Cybersecurity Act was the pooling together of ideas that have clear benefit with other ideas whose benefits are less clear, or are at least controversial. Some measures will be industry-specific and would be best handled by regulatory agencies, instead of with a broad brush. Other measures will be more strategic, such as public/private partnerships to improve technical education. Funded mandates, even for security, have a greater likelihood of successful implementation, so the proper incentive structure needs to be included in any legislation. However, if we try to do it all at once I fear we will wind up with a compromise, a stalemate or a camel – and that’s just not good security.“
Kevin McNamee, security architect and director, Kindsight Security Labs:
“We’d like to see federal agencies help fight the war on botnets. The technology tools to detect and eradicate botnets are available, but ISPs may be reluctant to use them because of potential liability and privacy issues. Federal agencies can clarify these points by developing an industry code of conduct that supports different botnet detection and eradication methods. With such policy, service providers can use their unique position within the network to detect, notify and remediate of botnet infections, and protect consumers.”
Richard Li, VP of security strategy, Rapid7:
“I’d like to see US federal cybersecurity legislation focus on at least two main areas: growing the cyber workforce and protecting critical infrastructure. The former is vital because the United States currently has a deficiency of skilled cyber professionals, and at the same time, the cyber threats facing us are increasingly sophisticated and prevalent. Simply, it has become easier and faster to make a lot of money from cyber-attacks, and not enough people in the US are trained to combat these attacks. We need to see the government appropriately incentivizing entry into this sphere and providing effective training to develop necessary skills.
“Critical infrastructure reform was one of the main sticking-points on the Cybersecurity Act of 2012 and is one of the most important changes that need to be made in my opinion. Our critical infrastructure is a significant vulnerability for this country, and they represent attractive targets for our attackers. Organizations that provide critical infrastructure such as power need to perform periodic risk assessments of their cyber infrastructure, and harden their systems to meet minimum security standards.“
Ed Hammersla, COO of Raytheon Trusted Computer Solutions:
“Legislation with teeth. The problem we face in legislating cybersecurity is that federal government agencies are told what to do but are not held accountable for actually doing it. Agencies need to follow mandated guidelines to insure their security posture and if they fail to meet those guidelines then they should lose funding or incur other types of penalties. Putting out reports or even “grades” does not help improve security posture if there are no repercussions for not following guidelines.“
Mark Bower, data security expert and VP at Voltage Security:
“Here’s what I’d like to see: First, recognition that today’s threats cannot be mitigated by building walls around networks, systems, databases and applications any longer. It just doesn’t work. Data has a way of making its way out of “containers” and can travel anywhere. Therefore, the sensitive data itself must be protected. We believe that the data is, in fact, (or needs to be) the new security “perimeter.” Intrusion detection and prevention systems, next-generation firewalls, web filtering, VPNs, anti-virus/anti-malware, etc. – all these layers of security simply do not keep determined attackers from breaching a network and stealing private data. Therefore, regulations need to start focusing there- on protecting the data itself. And with fairly recent and proven technology innovations, it’s possible to easily, quickly and cost effectively protect data in such a way that even if it’s stolen, it’s useless to criminals. That being the case, there’s really no excuse for it to remain so vulnerable.
“Second, one of the biggest problems with government regulations worldwide is their inability to stay current to the threats. The attackers can (and are) take advantage of “compliant” organizations that are still actually vulnerable as a result. Regulations need to openly embrace new defenses, and data-centric security is a perfect example. Organizations should either remove or protect sensitive data by default – ideally by regulatory guidance – such that attackers won’t gain anything of value in the event of a breach.“