The U.S. government has made significant strides with regard to raising cybersecurity awareness, but the efficacy of proposed regulation and legislation is being called into question. Steven Chabinsky, formerly one of the FBI's top cyber lawyers, recently spoke with the Washington Post regarding his take on these difficult issues.
Information-sharing policies such as the Cyber Intelligence Sharing and Protection Act (CISPA) and efforts to set standards are only effective in a limited number of situations. According to Chabinsky, the private and public sectors need to take a more proactive approach to truly address the cybersecurity issue.
"The FBI needs stronger partners in the private sector who can figure out who the bad guys are, and there needs to be much stronger relationships between the private sector, law enforcement and the courts to ensure that all the legal authorities that exist can be brought to bear against cyberattackers," Chabinsky told the Post.
Another problem that many companies face is figuring out which actions they should take in response to a data security incident. For example, Chabinsky asked, if an organization finds sensitive data stored on an external service, should the company be able to erase that information? Because laws and best practices are unclear, the government and private sector need to collaborate in creating legislation that clearly details sanctioned responses.
Critical infrastructure threat: More hype than reality?
The cybersecurity issue recently become even more complex when the Obama administration decided to draft a cybersecurity executive order. Because many of the country's critical infrastructure services are now web-connected, making an Internet security breach a possible national threat, several U.S. Senators urged the president to make the move. However, the problem may have been over exaggerated.
Supporters of the executive order say that the danger is too significant to ignore, but digital attacks may not be as threatening as some have claimed. CIO magazine recently spoke with Nate Kube, founder and CTO of security software company WurldTech, who said there are a number of measures in place to mitigate the risk posed by a single cyber threat. For example, there are non-digital safeguards to protect critical infrastructure facilities, according to Kube, so a cybercriminal would have to attack the physical location in order to carry out most threats. This makes it more efficient to simply destroy those facilities rather than use a cyberattack to disrupt operations.
That doesn't mean the issue isn't there, of course, but knee jerk reactions are surely not the answer.
"There are problems and we need to solve them," Kube told CIO. "We’re doing so much more with automation, and anytime you automate something and have increased connectivity doing so across a large geographic area you have the option for folks to hijack it and do bad things. So security needs to be considered, but it’s by no means a show stopper."
According to Kube, the level of awareness that has been raised within the country in general needs to be taken up more aggressively by C-level executives. One option is to provide cybersecurity incentives similar to those in the energy industry.
For example, the American Recovery and Reinvestment Act of 2009 (ARRA) tied organizational funding to clear expectations that not only improved the state of security, but the efficiency of the nation's power systems. The other advantage of legislation such as ARRA is that it provides additional incentive for companies to conduct an internal audit, which increases overall transparency in regard to overall security within those organizations' industries.
Security News from SimplySecurity.com by Trend Micro