Currently there seems to be a swelling sentiment to enact additional legislative changes to make the internet a safer place for organizations as well as consumers. We all want to whip the complex information insecurity problems into submission. I have the gnawing premonition that something big, yet ineffective, is on the horizon.
One of the options routinely discussed is that the government should impose new regulations that would secure cyberspace faster. The question is: what would cybersecurity legislation or regulations enforce? Would they be aimed at strengthening the information security practices at organizations that might fall victim to the online threats? Would they be aimed at software vendors who create the programs and applications used by consumers? I believe neither of these options would yield the desired result of securing cyberspace faster.
I have heard people state that there needs to be an overall cybersecurity law, one that applies to all organizations, imposing minimum information security standards across all industries. Every few years, there appears to be a new law that requires two years to interpret, then another few years to determine how it impacts an organization.
There have also been public discussions of the government addressing software vendor liability. This may also be an ineffective measure to cure our security woes. Such legislation could easily cause U.S.-made software to be outpriced in the global software market. In addition to overpricing U.S. software, imagine the complexity of enacting software vendor liability. We would have to sort out the following: what is the difference between a coding flaw, configuration flaw and a security flaw? Who gets sued for flawed concepts such as the authentication schemes that are so wildly exploited today? What are the reasonable steps that a user should take to prevent misuse? What are the penalties for software that can be exploited? What if software, when performing its intended function, can be used for good as well as evil? This is just the tip of the iceberg. Consumers can already resort to tort laws and civil channels to address shoddy software, as well as elect to simply not buy it. Additional federal legislation to address software vendor liability will not resolve the cybersecurity issues.
So what can the government do to secure cyberspace faster? The government should continue programs that educate consumers on cybersecurity, secure coding and "safe" internet use via standards, seminars, conferences and publications. The government can also focus on the largest issue that contributes to the internet's lack of security — dismantling safe harbors. Nearly all the incidents we have responded to originate from these safe harbors — and corporations believe there is nothing our government can do about it. We have IP addresses and names of folks robbing American citizens, yet no capability to take the digital evidence and trace it to the bad people ruining our internet. Though there may never be world-wide cooperation in the cyber realm, the government can certainly make additional headway.
I think most of us agree that the majority of folks on the planet desire a world where there is no "buggy" software, no backdoors, no cyber intruders and no discernable security flaws in our software. It is time to salute smartly and prepare to battle on. Defending America's cyber infrastructure is going to be a lot like trying to cure a complex disease. The oldest known description of human cancer is found in Egyptian papyri written between 3000-1500 bc, and 3,500 years later we still do not have a cure. I expect similar results for cybersecurity. We can treat cyber insecurity, we can survive it, but we must learn to live with the fact that there may not be a cure.
Kevin Mandia is president and CEO of Mandiant.