PLYMOUTH TOWNSHIP – Currently, there has been only minimal interference by the Government on matters of cyber-security. Since, the field is new and there are few precedents in the courtroom or the boardroom, the Government has resolved to be more reactive than proactive. This hands off approach begs the question should the federal government rely on market forces or regulations to force companies to provided better cyber security protection of its assets?
Companies such as Microsoft Corporation are taking the initiative to police themselves. Microsoft CEO?s Steve Ballmer states that things will be better in ten years. However, other experts like the researchers from Gartner, believe that a major cyber attack is due in less than 5 years. Companies are functioning as islands when it comes to cyber security. However, if the companies continue in that direction of dissolving committees and disbanding taskforces that are trying to voluntarily regulate the industry, then the Government may have to shoulder the responsibility.
The problem with the government stepping in is that cyber security may become over regulated. For example the Communications Assistance for Law Enforcement Act, which would allow the FBI access to information on all broadband Internet services, is thought by some organizations to give the FBI too much access because it is generally defined and leaves a lot to interpretation. Another law that was proposed would have required that public companies report their cyber-security plans to the SEC (Securities and Exchange Commission). The critics thought that the law would put a lot of liabilities on companies. However the security vendors feel that the companies would put more resources into securing the systems, if ?Big Brother? was watching.
The Anti-Spyware (Internet Spyware (I-Spy) Prevention Act of 2004, just passed the Senate and it if it passes the house would make it illegal to access someone?s computer without authorization, exceed authorized access, or to use programs or code to steal identities or impair security. Even though, the bill has stiff penalties that includes fines and up to 5 years in prison, the opponents state that it may be too vague, therefore making it harder to enforce. However, the supporters of the bill insinuate that it will give ?law enforcement? tools that will be beneficial in fighting cyber crime. Companies need to be proactive in incorporating cyber-security initiatives into their own organizations.
Some large corporations like Microsoft are voicing their opinions on securing IT infrastructures. For instance, Microsoft CEO?s Steve Ballmer stated that security is Microsoft?s top priority. His solution is for everyone to develop on one platform (Microsoft) so that developers can share and build off of the work of others. However, cyber-security should not be based solely on one platform or product. What is needed is a total, (mostly) generic, solution that gives the freedom to use different tools and methods to arrive at the same level of security for (almost) all infrastructures.
Some organizations like the Security and Networking Research Group at the Sandia National Laboratories and CERT Coordination Center of the Software Engineering Institute, Carnegie Mellon University are working toward that goal, by trying to incorporate an IT industry wide use of a ?common language? for incident reporting and comparison studies. The attempt is commendable, however, it would probably take an industry wide initiative or Government mandate to force the acceptance and use of one ?term? or expression over another. Another recommendation from the CERT Research Center was to impose ?Common Criteria? standards, in which software development companies and their customers can use the level of security classifications to determine the security rating of software.
Unfortunately, organizations are not moving forward swiftly. For instance, the Anti-Spam Working Group also known as MARID (MTA Authorization Records in DNS) working group was shut down by the IETF (Internet Engineering Task Force) because they had come to an impasse on creation of a common standard for mail authentication to help thwart e-mail misuse and abuse.
Another group, the National Cyber Security Partnership is trying to persuade companies to voluntarily adopt cyber-security practices. However, their efforts are being ignored. In light of the slow response to change, the chairman of the house subcommittee on technology and information policy, US Rep. Adam Putnam, R-Fla., is threatening to introduce a bill, the ?Corporate Information Security Accountability Act? that would make it mandatory for all publicly held companies to create information security plans.
A few companies are very proactive in adopting cyber-security practices, and ensuring that they have the latest and greatest hardware and software packages. These companies are most prominently displayed on the cover of IT magazines such as Computer World and E-Week. However, most other companies due to lack of knowledge or resources, try to get by with the bare minimum of cyber-security. Eventually, when some security measure is overlooked, then it is going to cause problems. For example, a denial of service attack targeting one company on a server that is shared by several different companies will affect all of them.
In the past, the Government has been reacting to incidents by imposing laws such as Sarbanes-Oxley of 2002, which was designed to restore investor confidence in US financial markets and HIPAA (Health Insurance Portability and Accountability Act), which was enacted to insure a common electronic transfer format, and provided privacy and security of health related information. As companies start heading in different directions, it will be the Government that will have to lay the ground rules or standards that will help to facilitate inclusion of cyber security in the development, support and use of Information systems.
In addition, the Government?s legislation will introduce and pass Laws addressing software and security liability, International cyber-crime, invasion of privacy and numerous other issues in the near future. However, the ultimate role of Government in cyber-security should not be a dictator, but perhaps a leader offering guidelines for the rest of us to follow.
This column was written by Marcia Mealy, owner of Your Business Secure. The corporate web site is at YBSecure.Com




