WHY IT MATTERS: Cybersecurity
Oct 11, 2012link
The ideological divisions between Republicans and Democrats have grown so wide that the parties can't agree on how to confront a risk that they all acknowledge is real. At its core, the stalemate is a microcosm of the larger argument underpinning the presidential campaign: How involved should the federal government be in the economy and people's lives?
The fundamental issue is that critical elements of our national and economic security are owned and controlled by private companies. These private companies are not accountable to the voters and citizens of this country, and they may (and often do) put near-term profits ahead of long-term safety and security of their company, the services they offer, and the people of this country.
However, right now I agree with the Republicans on this debate.
Ten years ago (10!) the Federal government passed into law the Federal Information Security Management Act (FISMA) that requires government agencies and contractors that process Federal information to protect their computer systems and data. 10 years later it would be difficult to find any organization that truly complies with FISMA. Details of implementing it are still being hammered out.
Critically, the security landscape 10 years ago was very different than it is today. Highly mobile, always connected iPhones, iPads, and Android devices didn't exist. Cyber attacks were still largely the purview of individual, young, generally poorly trained hackers doing it for the thrill. Today's attackers are professionals, or more precisely, they are professional organizations. An entire economy now exists to support the professional attackers. Advanced Persistent Threats (APTs) and large-scale cyber espionage hadn't really emerged.
Given the track record of government mandated computer security – e.g., Computer Security Act of 1987 (anyone remember "C2 by '92"?) and FISMA 2002 – any government mandated computer security requirements passed into law today would probably not be implemented until 2022 at the earliest. Does anyone know what the computer security landscape will be in 2022?
My recommendation regarding any mandate is to let FISMA run its course. Let the government finish hammering out the details, roll out implementations throughout the government, and evaluate how effective the implementations are against modern, professional attackers. If they prove effective, FISMA compliant implementations can serve as shining exemplars for private industry to follow.