Cybersecurity professionals who tuned into this year's State of the Union address had cause for excitement: our discipline took center stage as President Obama announced plans to propose new federal information security measures. Additional materials released by the administration provide more detail on those proposals: efforts to enhance the sharing of cybersecurity data, a national breach notification rule, and improved tools for law enforcement.
On the whole, these are thoughtful and encouraging steps – and the attention to cybersecurity is overdue. But will they be enough? Past government actions on data security have often been vague and insufficient. In order to deliver more effective federal security rules, lawmakers may do well to look at industry-driven rules for a guide.
The sad reality of data security today
The sad reality is the government shouldn't have to intervene in matters of cybersecurity; ideally, organizations should take responsibility for the protection of their own customers and assets by regularly assessing risk and deploying necessary controls to properly protect data and systems. But breaches are occurring constantly due to businesses' poor or ineffective security practices, and action is clearly necessary.
You don't have to look any further than recent headline-grabbing incidents for proof: the cyber attack on Sony Pictures Entertainment and the string of breach-plagued major retailers serve as a litmus test for the state of U.S. companies' data security posture.
While government cybersecurity regulations have not set a high bar to date, the action by government bodies has had at least one positive impact on the industry. Before the implementation of state-level breach notification laws (and the breach notification provisions of the HITECH Act that applies to health care data), companies can and did routinely obscure the fact that they had experienced breaches. It's for this reason that we have little useful data on the prevalence of cyber attacks prior to the early years of this century.
By contrast, today companies in 47 states are obligated to notify individuals when their private data is exposed. As a result, affected consumers are able to make more informed choices and take steps to protect themselves from identity theft. The spotlight of public attention also compels businesses to improve security efforts in the wake of an attack.
Laws such as breach notification rules can make a difference. But government security rules also have some serious problems.
What's missing in government Cybersecurity rules
While somewhat successful, the breach notification laws we've been talking about vary considerably from state to state. A new federal rule likely would not be much more strict than the strictest of the existing state laws – such as the Massachusetts breach notification law. Since companies are already required to notify of a breach in most U.S. states due the existing state laws, putting a federal rule in place may have some benefit, but it's not the big step forward we need.
You could easily say the same thing – it's not the big step forward we need – about many of the U.S. government's recent cybersecurity efforts. For example, the Obama Administration developed and released a new cyber security framework in 2014, but few organizations are actively using it.
HIPAA, similarly, is often too vague or generic in its prescriptions. It's entirely possible for many organizations to comply with the HIPAA security rules without truly protecting themselves or their protected health information.
So what's the solution? A start would be to take cues from industry-driven security rules. The payment card industry's PCI Data Security Standards are one example of rules that are specific, prescriptive, and responsive to changes in the security landscape. These rules, imposed on merchants by the credit card brands, could serve as an effective model for lawmakers, showing what a robust security effort looks like when private businesses are sufficiently motivated to protect themselves.
Until more industries get serious about stepping up and implementing responsible security safeguards, the government may feel compelled to protect consumers. Effective rules will require thoughtful balancing of priorities and collaboration with both security experts and business leaders, as well as an effective enforcement mechanism to promote accountability. If the government can draw lessons from industry-driven rules, it may be able to prompt some real progress.
In his role as partner with LBMC Security & Risk Services, Mark directs the firm's resources to craft security solutions that mitigate security risks in a way that is practical and relevant to the organization's environment. Mark has received numerous commendations for his contributions to information security on behalf of his employers and the community at large. Most recently, the Information Systems Security Association (ISSA) named Mark a Fellow, one of a handful of individuals recognized for their accomplishments in information security, leadership, and service to the association and profession.