Michael F. Angelo, chief security architect, NetIQ
It's clear that what we've been doing to ensure security has yet to bear its full fruit as data breaches and attacks continue to make headlines. Recent hysteria over threats such as Conficker have done little to bolster confidence in our current security infrastructure. As security budgets are squeezed, yet another factor is poised to complicate our path to trust-worthy enterprise security: government intervention via federal/state/local legislation.
Three members of Congress have recently co-authored Senate bill S 773, which contains a number of interesting ideas that intend to compensate for what is seen as the security industry’s current shortcomings. While its intent is notable, it introduces a number of issues that will adversely impact global commerce. Ultimately, these issues could spell disaster for any company leveraging the internet.
The bill begins with standard platitudes: "To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications." Highly commendable, but what follows "... to improve and maintain effective cyber-security defenses against disruption, and for other purposes," encouraged me to read more closely.
The two sections that sounded alarms are Section 7 – Licensing and Certification of Cybersecurity Professionals (an ominous title to begin with) and Section 18 – Cybersecurity Responsibilities and Authority.
Section 7 mandates the creation of a national licensing certification program for cybersecurity professionals. All cybersecurity personnel must be certified within three years after the law is enacted. The law also states that it is unlawful to provide "cybersecurity" for any federal or critical infrastructure information system or network unless you are certified.
While required certification for security professionals could be valuable, the logistical nightmare the concept creates could easily outweigh its benefits. As security practices constantly change and technology is quickly updated, curriculum development presents a huge challenge. Additionally, who would own this certification process, pay for it and nurture it? These are only a small number of the red flags raised by this section.
Section 18 provides the president of the United States the ability to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised federal government or United States critical infrastructure information system or network. It will also allow the president to order any federal government or United States critical infrastructure information system or network to be disconnected in the interest of "national security."
The worst case scenario is that a company would be disconnected from the Internet without warning and successfully isolated from corporate partners and, effectively, all real-world communication. Depending on your Internet reliance, this could disrupt your business for long periods of time with no way to remedy the situation. This type of disruption poses incredible risk that most organizations can’t afford.
This legislation brings to light the fact that we need ways to safely adopt technology, protect our organizations from ever-changing security threats and guarantee day-to-day operations. Until our priorities include security in a more comprehensive, business-enabling way, additional government intervention in the name of "protection" will be an unfortunate consequence businesses will need to endure – likely too high a price to pay for engaging in the global marketplace.