Among the many issues on President Obama's agenda is improving cyber security. He named a cyber security czar, for example. In response, Congress has also introduced bills that call for improved notification of data breaches, the creation of an executive office focused on cyber security policy and communications, and joint effort between the government and private sector to establish better security efforts.
Speaking to the improved private sector security, Jimmy E. Sorrells, senior vice president at Integrity Global Security, would like to see the bill include a rating standard for software and other computer-related products. He told me:
There are a lot of folks who think that private enterprises who make computers and software aren't going to invest the money to do what it takes to make their products secure until there are regulations in place.
Right now there is a directive in place-not a law-through the Office of Management and Budget that states that anyone selling IT products to the government has to have a security rating. The problem, Sorrells said, is the lack of meaning behind the rating.
You have to have a rating, but rated to what? There's no minimum standards. It can be a rating of zero and has little security protections, but it is still rated.
Hence, Sorrells' wish for the cyber security legislation is language in the bill that would set a minimum rating standards for computer products. True, this would be a rating system that would only focus on the government at first, but it would have to trickle down to government contractors, and maybe, eventually, to the private sector.
The benefit of having a minimum security rating? Sorrells said it would allow CIOs and CISOs to focus their attention on bigger security issues because security standards would require built-in security measures on every piece of computer equipment.