As I’ve mentioned in a previous post, this is the time of the year when security folks like to share their predictions on what may happen next year. Here is a prediction that intrigued me. It comes from Benjamin Caudill, CEO and principal consultant at Rhino Security Labs, who predicted that in 2015, we’re going to want better cybersecurity laws. To quote from his email:
There's likely going to be a lot of pressure on lawmakers to address the cybersecurity situation from a legislative standpoint. At the moment, breach notification requirements and information security regulatory standards are patchy, antiquated, and fall short of what's needed. There's a need for laws that make sure that breached companies inform victims in a prompt and helpful manner, and an even more urgent requirement for laws which set minimum information security standards and guidelines. Expect to see information security issues come to the fore in courtrooms and senates around the world.
As many of you know, I’ve been a proponent of cybersecurity legislation for a long time. The stakes are getting higher when it comes to cybercrime, and the time has come for legislative bodies both on a state and federal level to recognize that citizens and businesses need better protection and more universal breach reporting regulations.
Perhaps Caudill is on to something. It isn’t 2015 yet, but as the Congressional session winds down, we’re seeing some action on Capitol Hill regarding cybersecurity. GovInfoSecurity reported on the latest about NIST’s role in cybersecurity:
On Dec. 11, nearly six years after proposing the legislation, both houses of Congress passed on voice votes the Cybersecurity Enhancement Act of 2014. That bill, expected to be signed by President Obama, would formalize cybersecurity as one of the National Institute of Standards and Technology's priority areas of focus. . . . [T]he bill would direct NIST to continue to facilitate industry-driven processes for developing voluntary cybersecurity standards for critical infrastructure as it did when it created the cybersecurity framework.
It’s not perfect, but it’s a start. I think Caudill’s point that there is a greater need for better information about data breaches is one that Congress needs to take up sooner rather than later, especially in light of all of the retail breaches we’ve seen in 2014. But if this bill gets government and industry to work together to discuss cybersecurity concerns, we’re moving in the right direction. Let’s hope this is a prediction that comes true.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba