Compliance Management, Government Regulations

Information security pros should educate elected officials

Over the past few years, numerous bills on cyber security have been introduced and gone nowhere in Congress. That's about to change. The House leadership announced during “Cyber Security Week” in April that it approved four bills. The Senate is currently attempting to resolve largely partisan differences among competing cyber bills. Chances of reaching a compromise are probably 50-50.

The good news is that Congress is beginning to take the problem seriously. The bad news is that, with a few notable exceptions, federal lawmakers mostly think we are still primarily concerned with hackers and passwords. For too many policymakers, the fact that an organization was “breached” is an indication that stronger, more invasive regulatory oversight by the government is needed.

The reality of protecting our information is, of course, far more complicated. We are all facing increasingly sophisticated threats and, in response, we are deploying increasingly advanced defenses. However, security decisions are often not just about safeguarding assets as a competitive force. Business relationships and new platforms need to be managed as part of the full enterprise solution set. This can be a bit difficult for even well-intentioned legislators, most of them “digital immigrants” who are not really comfortable or knowledgeable about the bits-and-bytes world they now inhabit. We owe it to ourselves and our industry to respond with feedback and education for our elected officials.

Unfortunately, even if cyber bills reach the president's desk this year, it's likely that they will address important, but not fundamental issues that need to be resolved. Questions as to the appropriate mix of market incentives versus government regulation, the proper roles for military versus civilian authority, and the way in which business economics and cyber security can be resolved in a sustainable fashion will still be on the table for a new Congress – and perhaps a new administration.

It is critical that the security personnel who are addressing these core issues as part of their day jobs substantially upgrade the education program for our elected officials. This is a call to action. Become educated. Express your concerns. Get involved. Contact your representative directly or work through professional organizations, such as the Internet Security Alliance. Share your expertise, experiences and concerns with those crafting the laws with which we will all have to comply. The only certainty in this process is that we will all have to live with final legislation for the coming years. Let's get involved and influence the future of our industry.

Photo by Aaron Ansarov 

»Public-private exchange
In April, the House passed a controversial cyber security bill that would allow private companies to exchange security-related information with the federal government.

»Opt to share
Under the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), private companies and government agencies could opt to share information related to cyber threats.

»Meanwhile, in the Senate...
The Senate has its own bill, sponsored by Senators Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.V.) and Dianne Feinstein (D-Calif.).

»Critical infrastructure
The proposed Cybersecurity Act of 2012 allows the federal government to prescribe cyber security standards for companies that are identified as critical for the nation's security.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.