As the threats of cyberwar and cyberterrorism loom, government leaders have stepped up calls for legislative action to protect the nation's critical infrastructure. However, experts in the security industry are divided over whether legislation such as the Cybersecurity Act of 2012 is required for protecting the nation's critical infrastructure.
Also known as the Lieberman-Collins bill, the Cybersecurity Act was shot down in the Senate in August. It called for broad provisions for the monitoring of potential security threats to an organization's network or the networks of others if such monitoring were being provided as a service. The proposed cybersecurity legislation also called for a wide range of information sharing that drew opposition from civil libertarians and business groups who feared the bill provided too much government oversight and was too vague in terminology. Opponents also believed that its adoption would lead to prescriptive requirements that would interfere with business, and therefore be bad for the economy.
Paul Henry, security and forensic analyst at Lumension, a Scottsdale, Ariz.-based endpoint security company, said he thinks the bill's requirements would have been a mistake. "Everything we've had over the last decade that mandated some form of regulatory compliance has been, in my opinion, a failure. For example, SOX [Sarbanes Oxley] did not really raise the bar for security. It merely raised revenues for auditors."
Henry expressed skepticism that governmentally defined security would be effective, saying governmental mandates that either rely too heavily on outmoded technologies or require similarly outmoded practices fail to address evolving threats. He mentioned antivirus packages and traditional firewalls as examples of technologies that no longer pass muster against today's threats.
"The guidance needs to address more contemporary technologies such as application control and whitelisting, as opposed to AV as we know it," said Henry, whose experience includes 18 years of working with SCADA systems. "Firewalls are another example. The bad guys recognize that all they need to do is run their malicious applications over a port other than the one they are blocking with the port-centric firewall. So much of our most crucial infrastructure is not adequately protected because we are relying on failed technologies that are erroneously specified as best practice requirements."
Henry said that the nation finds itself in a quandary in which the inherent risks must face off against budget realities. "There needs to be some sort of financial incentive as opposed to just restrictions," he added. "We are in a very competitive environment, and unless you have a financial incentive, organizations won't spend the money to secure the infrastructure against attacks that have not even happened yet. People need to slow down a little bit, take a deep breath, and look for responses with sound methodologies. I don't see this coming out of Congress."
Henry is by no means the only IT industry insider opposed to the Lieberman-Collins bill. "It was much too heavy-handed," said Dorothy Denning, a professor in the Department of Defense Analysis at the Naval Postgraduate School and a security industry pioneer.
But according to Harry Sverdlove, CTO of Bit9, a Waltham, Mass.-based company focused on defense against advanced persistent threats, it's imperative the federal government be the motivating force that moves corporate attention beyond the quarterly report mentality and toward actionable results that can protect critical national infrastructure in advance of a 9/11-style catastrophe. He was disappointed the bill didn't pass.
"I don't know necessarily that the government can solve this, but it does force business to look at it more seriously. It needs to be a combination of carrot and stick," he said. "The problem is that we have infrastructure systems that don't have enough security in place because they were designed in a day and age when this type of attack was inconceivable. And the consequences of being attacked are dire. Things like our energy grid going down [or] our water supplies being polluted are all extremely dangerous and extremely frightening. There needs to be collaboration between public and private because the stakes are so high."
While the thought of increased federal regulation is unpalatable for some, attorney Roy Hadley, who leads the cybersecurity practice for the Atlanta-based law office of Barnes & Thornburg LLP, pointed out that if Congress fails to step up, the states will likely fill the void with a smattering of local laws that will likely be difficult to track.
"I might not be a fan of big government, but there are times when government can and should take control," he said. "And one of the reasons is that if the federal government does not adopt comprehensive legislation dealing with cybersecurity, the states are going to start doing it -- just as they did in the privacy area. And then all of a sudden you got 47 or 48 similar, but different laws, to deal with. And then it can become a real nightmare."
Meanwhile, another attorney, one who also is focused on matters of cybersecurity, suggests that Congress is ill-prepared to enact legislation because it does not understand the full scope of the problem or the resources that are already available.
"Congress does not understand that there is a whole body of cybersecurity best practices that are harmonized to each other," said Jody Westby, CEO and founder of Global Cyber Risk LLC, a Washington, D.C.-based consultancy. "For example, NIST makes world-class recommendations that are harmonized with the other best practices and standards from people like ITIL and ISO. Trying to put a bunch of regulations on business is just too costly. It's not going to solve the cybersecurity problem, and it's just going to force companies to spend money meeting compliance requirements, instead of adapting to the current threats and installing better mousetraps."
Westby called for the establishment of tax credits as a means of encouraging companies to invest in cybersecurity. "There should also be a requirement that public companies state in their SEC filings what they are doing in the area of security," she said. "Specific practices should not be mandated, but you should have to say whether you're doing something or not. That way their investors and customers will know, and this would create a culture of security."
The U.S. Securities and Exchange Commission last year issued guidance that made it clear publicly traded companies are obligated to report cyber risks and incidents in their SEC disclosures.
Westby added that more needs to be done at the international level to secure greater cooperation in cybercrime investigations. "I'd be in favor of a treaty that says, 'If you want to be connected to the Internet, then you agree to assist in cybercriminal investigations or else we are not going to support traffic in and out of your country.' "
RUNNING OUT OF TIME
By other accounts, the biggest obstacle to the Lieberman-Collins bill is the absence of a catastrophic 9/11-style event that drives home the need for added precautions.
"The recent failure of the Cybersecurity Act demonstrates that we probably need some major event to bring about the will to do something," said Chris Petersen, CTO of LogRhythm, a Boulder, Colo.-based security information and event management (SIEM) vendor. "But by that time, it might already be too late. And since we are on a reactive footing at that point, we might actually overreact. If we overreact, privacy will probably be completely put aside. That's my concern as well."
Petersen countered Henry's opinion about the need for practical encouragement as a means of gaining support from the business community, suggesting that the ramifications for noncompliance must be substantial.
"The bill took a lot more of a carrot approach than a stick approach," said Petersen. "I think if we are going to expect corporations to invest in the necessary resources to defend their infrastructure, it might take a little bit more of the stick."
Petersen leans toward the establishment of a structure with noncompliance penalties that are high enough to motivate companies to make the necessary levels of investment. "It's entirely possible that the government should be called upon to subsidize some of this cost," he added. "But we need to set it up as a national objective."
One vision for how to condense such a national objective into practical parameters comes from Steve Durbin, global executive vice president of the Information Security Forum, which was instituted 23 years ago as a nonprofit organization through which companies could study security-related issues. Durbin advises organization to adopt a four-phased approach that begins with an evaluation of the organization's business model, ascertains the full range and relative severity of the threat landscape, assesses the relative value of all the data and infrastructure, and culminates in the development and implementation of proper responses.
"The channel can be instrumental in helping with these things," he said. "I think it's a balance of the customer asking the right questions combined with the partner being open and transparent about what they can and cannot do. The onus is on both sides."
Such an approach would be consistent with the framework suggested by Andrew Jaquith, chief technology officer at Milford, Conn.-based Perimeter E-Security. Jaquith recommends that, whatever legislation or guidelines eventually prevail, they must be fully measurable for their efficacy.
"I think we saw the last round of cybersecurity bills fall victim to partisan wrangling in the Senate," he said. "So the buzzword now in the agencies in Washington is around continuous monitoring. But I think we need to develop clear success criteria in the legislation."
Jaquith added that the government also needs to take steps to foster the sharing of critical information among appropriate parties without fear of litigation associated with disclosing a vulnerability. Such a shield, he said, will be very important in generating the necessary cooperation. In addition, the legislation needs to focus on components that will drive genuine security rather than the mere appearance of security.
"These bills tend to start off with good intentions, but they water down the important places when the special interests try to beef up the stuff that doesn't matter," he said. There's also a lot of noise about having to certify security professionals. But certification does not guarantee anything."
Perhaps the key to the argument stands on the premise that regulations and their enforcement are not necessarily a negative phenomenon. Even in something as benign as professional sports, rules exist and are enforced by referees. And while blown calls are not especially rare, the presence of officiating is universally seen as better than the chaos that would otherwise ensue.
"Regulation done right is a good thing, but it has to be done right," said Mike Tuchen, CEO of Rapid 7, a Boston-based security vendor. "Politically, it [turned] into an election issue where the Republicans [were] saying that any kind of regulation is anti-business, but I honestly think that's a little misguided. If we could create the right policy that actually results in real security improvements, then it's a benefit to all of us. Our lights will stay on. Our water will still be safe. Those are the things we care about."
PUBLISHED NOV. 14, 2012