Proposed legislation currently making it's way through the House of Representatives could be a good first step in the right direction for the government and private companies looking to collaborate on cybersecurity measures, but the bill requires further tweaking before it can gain the necessary votes, lawmakers said recently.
A main provision of the proposed bill, which some have said is long overdue in promoting a data security partnership between the public and private sectors, is the creation of the semi-independent National Information Sharing Organization. Through the NISO, firms in the private sector and public agencies can collaborate on the cybersecurity threats they face, as well as means for protecting critical infrastructure.
Numerous changes have already been made to the proposed legislation, but some House democrats are calling for further amendments, according to a recent Bloomberg report. Specifically, the legislators are calling on the bill's authors to define how consumer data privacy will be upheld when such information is shared through the NISO.
Prior to having any chance of being passed, according to Bloomberg, New York Democrat Yvette Clarke said lawmakers must "explore the real-life implications of such a body and its actions, and how it would affect the department’s ability to enhance cybersecurity for our government agencies.” Clarke is the senior Democrat on the cybersecurity subcommittee that held a hearing on the proposed legislation on December 6.
Industry experts and data privacy advocates have echoed such calls by House democrats. Gregory Nojeim, the senior counsel at the San Francisco-based Center for Democracy and Technology, told Bloomberg that consumers have a right to know what information is being shared by companies and the government.
He added that only information that will help fight cybersecurity should be passed on to the NISO, and none of it should be used for law enforcement purposes, according to Bloomberg.
And while collaboration between the government and the private sector has been promoted as key to enhancing Internet security in the United States, some are questioning whether more regulation is the answer. A recent ZDNet commentary by data security expert Torsten George argued that more compliance requirements may only add to the problem.
Companies, George said, are more concerned about compliance than actual security.
"Unfortunately, being compliant does not equate to being secure, as compliance lacks the correlation to risk and is conducted periodically, rather than continuously," he wrote. "Thus, only regulations that mandate prioritizing security in the overall picture will really move the needle."
Still, cooperation between privately held companies and the government remains necessary if the U.S. is to fend off continued and escalating cyberattacks on both enterprise and federal networks, some experts say. Cheri McGuire, the vice president of global government affairs and cybersecurity policy for a security firm, testified before the House subcommittee that it's in everyone's best interest to create a so-called data security clearinghouse like the NISO, Bloomberg reported.
She said the move to “share information is a strong step in the right direction,” according to Bloomberg.
This legislation is another sign that organizations in the U.S. are acutely aware of the cyber threats they face and are determined to do something about the cybersecurity issue. That notion was also reflected in the recently released 2011 Lloyd’s Risk Index from insurance market Lloyd's of London.
The report revealed that organizations in North America – where cybercrime costs about $96 billion annually, Lloyd's revealed – have taken the lead on data security measures and routinely outpace the rest of the world in terms of security measures and research.
Data Security News from SimplySecurity.com by Trend Micro