Cybersecurity Rules for Private Networks Proposed

According the the Washington Post and reporters Joby Warrick and Walter Pincus “Senate Legislation Would Federalize Cybersecurity, April 1, 2009″ there is a new Senate Bill which proposes mandatory security standards for private industry.  The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input.

It is my opinion that this is nothing more than window dressing and a platform for more big government and politicians to be politicians. Government networks are compromised on an ongoing basis and now we need the government to tell private industry how to protect themselves?  I find that interesting at best.

The bill proposes for a cyber czar to set compliance standards and monitor performance.  Lets get real, compliance and security are two different things.  How many PCI compliant or HIPAA compliant organizations have been compromised and lost consumer credit card info, social security numbers and other sensitive information?  The answer is far too many!   It does not matter that you were compliant when you have lost a million or more credit card numbers, social security numbers, or company specific proprietary data.

Unless there is a change in corporate culture and a genuine and informed approach to protecting critical data, theft of information, compromise of infrastructure and other malicious activity will continue.  Yes I agree whole heartedly cybersecurity is a major issue but its not all about technology.  When the CEO looks to his Chief Information Security Officer and say were covered, right?  And meanwhile HR is hiring criminals or employees find themselves in financial trouble and theft of company data viewed as a solution, the answer is not a chance!

While the sponsors of the bill talk about power being knocked out or traffic lights not working due to malicious activity, that is trivial to what could really happen.  The largest potential threat is data poisoning. I can assure you that a monetary system compromise poses a significantly greater risk than compromise of utilities. Compromise or poisoning of monetary transactions could certainly have global impacts especially if we consider most compromises are not detected when they occur but rather months later.

If our power is compromised we know it soon after because THE LIGHTS ARE OUT. Compromised financial transactions are not as readily detectable and could take months before being recognized.  The SEC has enough problems identifying white collar criminals and bogus transactions.  What if there were deliberate acts of data poisoning within the worlds monetary systems, how long might that take to identify and how would the issues be reconciled?

Having now said all this you tell me where the real threat is?  Establishing more compliance regulations only creates more misunderstanding.  Information security starts with culture and you can not regulate that.

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!