Why government regulation is necessary to enforce security
CISPA, the Cyber Intelligence Sharing and Protection Act, passed the House last month, and the Senate has indicated that they will not vote on the bill.
The Obama administration has also been outspoken in not supporting the bill, specifically citing concern over how this information could be used by the government.
The President has also said that he doesn’t believe the bill requires private organizations to take appropriate steps in removing personal information when sharing cyber security data.
Look, privacy will always be a concern when discussing legislation that can “monitor” activity from users and corporations. The security industry is comprised of folks who are extremely paranoid, and any attempts to pass evasive laws are generally going to be attacked, using the privacy flag as a rationale.
However, if the private sector doesn’t have the means to stop an attack, or understand what they are facing, then personal information will be compromised anyway by the “bad guys.”
So really it becomes a question of whom would you rather have access your information? The federal government or malicious attackers. I know that I would be much more comfortable with Uncle Sam taking a peek at my bank account than a hacker from China.
Furthermore, the government already has access to our personally identifiable information, we all pay taxes. Our tax forms contain our names, social security numbers, our family members’ names, where we live, where we work, our activities, etc.
So what exactly are we worried about?
As Americans, we have this belief that other countries have the same code of ethics as the United States, and that simply isn’t the case. If you think China isn’t sponsoring hackers to gain a competitive edge by any means necessary, then you’ve been living under a rock. Look at all the recent headlines regarding damaging attacks, such as Distributed Denial of Service (DDoS).
The United State government needs to be more actively engaged with the private sector. Given the emerging threats and state sponsored activities, the private sector is facing a David and Goliath type situation. No organization can take on China in a cyber security battle and that’s why we need bidirectional communication.
At this point, collecting more data and correlating possible attack vectors and threats provides no value to United States based companies. That’s why we need CISPA—information regarding any threat pertaining to an industry segment should be released and categorized similar to how the TSA (Transportation Security Administration) and DHS (Department of Homeland Security) index possible physical threats.
Correlation of events is a key component to monitoring and determining potential sources of attack. We currently have no way to do this, which makes it impossible to issue threat level warnings to specific industries. In essence, the Internet in its current state is like the Wild West for business and the threats continue to grow.
As a whole, both the private and public sector need to take responsibility for attacks by not only monitoring and correlating these events but being proactive in preventing them. The best defense is a good offense and unfortunately we are not dedicating enough resources to fight these emerging threats.
At SecureState, we help businesses prepare for and set up controls to stop cyber attacks, but unfortunately our client list is just a drop in the bucket. The importance of protecting company and customer data needs to be a top concern for national security, especially with our already fragile economic recovery.
It all boils down to the basic argument of liberty or security.
Benjamin Franklin once said, “Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one.”
But when our freedom (information) is already being compromised, we have a responsibility to protect our personal and national interests.
The bottom-line is that until the United States considers these attacks to be cyber warfare and takes appropriate action, companies and their customers will continue to be at risk.
At some point, and that point is now, if organizations do not want to spend the money to protect themselves, the government will have no choice but to step in with more law and regulation to mitigate these threats.
This may be one of the first times in history when we the people have a chance to stop an imminent threat before it becomes a national disaster. Hopefully the Senate and ultimately President Obama will change their minds.