I was catching up on cybersecurity news today, and I couldn’t help but notice the conflicting messages coming from government (I know, what a shock there). In one bit of news, it looks like Congress has turned cybersecurity into a game of political cat and mouse. In other news, maybe it doesn’t matter what Congress does anyway, because no one is really enforcing the regulations that government set up already. And yet, there is other news that mentions how aggressively and swiftly the government is set up to handle an attack like Stuxnet.
It is all enough to make my head spin. But then, it is pretty representative of how cybersecurity is viewed on the whole. No one can quite agree on how to best protect the networks and there is no real consensus on how best to respond to attacks of any kind.
First, Republican senators have just introduced the SECURE IT Act, an alternative to the previously submitted Cyber Intelligence Sharing and Protection Act (CISPA). According to CSO Magazine:
The main difference between the two bills is that the Republican version does not give any new regulatory authority to the federal government to set cybersecurity standards like the Democratic version does. The new version of SECURE IT also restricts the purposes for which government can retain and use cyber-threat information. [The bill] will allow companies to legally share real-time cyber-threat information from their networks with other industry stakeholders, law enforcement and government.
This bill isn’t all that different from CISPA — both bills have privacy groups up in arms over the sharing of information. Where the two bills part ways is in the government’s role — SECURE IT eliminates new government regulations.
However, that might not mean much. Even when government has specific guidelines in place, they are being ignored. For example, the U.S. Securities and Exchange Commission (SEC) instituted guidelines instructing companies on disclosing data breaches and risks from potential breaches in their financial reports. Not surprisingly, since these are guidelines and not mandates, few companies are complying with the suggestions. And so we head back to Congress, where Senator Jay Rockefeller wants to strengthen the reporting process, making it clear to companies that they must disclose these breaches. I think Rockefeller is right, this information should be disclosed, but the political watcher in me says it will never happen. And then the losers in all of this are consumers who have no idea when or if their information is at risk.
Yet, government is still doing its best to protect the nation’s infrastructure. A new report from the Department of Homeland Security’s Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) pointed out that there has been a huge surge in cyber attacks in the past three years, since the team was created. The report focused on the response to Stuxnet, which was criticized as slow by security experts, but the report also let it be known that the response team was, well, responding to incidents.
I had the chance to speak with some Kaspersky Lab experts last week — which I’ll touch on later this week — and every single one of them discussed the need for better education and awareness of basic cybersecurity. I suspect there is no entity that needs to hear that more than government.