This is the fifth post in a multi-part series following the President’s State of the Union speech back in January. The series examines how the information security community needs to engage with the government to shape laws which will affect the industry. You can see the first, second, third, and fourth posts.
Let's take a look at prescriptive requirements. There has been little discussion of requiring companies to meet security standards.
Somewhat surprisingly, the National Cyber Security conversation in 2015 have not really included much about mandated or prescriptive requirements. While the government-private partnership for critical infrastructure has been expanding cyber intelligence and threat sharing, business interests have largely avoided any dictates for companies to protect themselves. In cyberspace, protections, even across companies in the same industry vary widely.
We thus have a system where businesses are protected in physical space by a combination of common sense, insurance requirements, and local law enforcement. Common sense cyber equivalents to guards, gates, locks, and guns are unknown to many business leaders and owners. Traditional insurance has required very little cyber security implementation. Even cyber insurance has few standards driving secure implementation and protection of systems, applications, and data. There are no cyber cops doing drive by checks to see if your cyber buildings have been broken into or defaced.
Extending the analogy, while no one would sell or rent a building, office space, or warehouse without door locks – Google, Amazon, and others will happily sell cheap processing power, bandwidth, and storage without firewalls, intrusion detection, backups, or redundancy.
Financial services stands in stark contrast to this general lack of proscribed security. Legislation in the form of 1999’s GLBA mandated that financial services companies must have a cybersecurity program. In 2005 the FFIEC managed to be prescriptive with proactive guidance to conduct risk assessments and improve online banking security – yet also managed to not force every bank to implement the same solution for online banking security. The FFIEC and banking regulator continue to provide innovative guidance – asking banks to ensure that their suppliers provide the same security protections the bank’s themselves provide. This has led to shared activities like those under Shared Assessments.org, and also to individual activities by specific banks and their suppliers to both implement security and provide assurances in the form of security programs, assessments, and audits to demonstrate to regulators that they are protecting bank customer information.
In 2015 to ensure the economic health of the country, isn’t it time for every public company and private companies employing more than 50 or 100 people to meet the GLBA requirement to have a program that’s documented and reported on annually to the CEO and board of directors? Isn’t it time to require service providers to include minimum security measures – firewalls, IDS, IPS, data backups and some level of business continuity? Between traditional and cyber insurance isn’t it time to require companies to demonstrate some ability with cyber security (or a cyber security provider) before granting insurance coverage?
There is a cost to this level of regulation. However the FFIEC demonstrated that regulation doesn’t have to be overly prescriptive, and the cost of implementation feeds innovation and economic activity in the growing cybersecurity sector. Similarly, the lack of cybersecurity has a terrible cost on our economy. The loss of innovative IP to foreign government and the organizations they support has crippled industries, bankrupted companies, and moved the production of US innovations offshore, where they may produce cheaper products, but further erode our economic competitiveness.
Consider your own position, should the government be more prescriptive than a non-binding Cybersecurity Framework that requires little? The current lack of cybersecurity requirements has generated a sector of our economy where unemployment is almost zero…more regulation likely means the value of cybersecurity expertise and capability likely grows. But it will also spur the development of security services and consistency we could only dream of today. Whether you are for or against more prescriptive regulation, you should consider how to best get involved – then do something.