C-note: Federal Cyber Security Legislation in the Works
by Rick Dakin, CEO, Coalfire
As some of you may know, the national debate on cyber security is moving to fever pitch. Both houses of Congress and the White House have proposed cyber security legislation that addresses everything from increased consumer data privacy and enhanced cyber protection for critical infrastructure to new regimes that provide regulatory oversight. President Obama captured the debate in this summary:
"We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control... But just as we failed in the past to invest in our physical infrastructure – our roads, our bridges and rails – we've failed to invest in the security of our digital infrastructure... This status quo is no longer acceptable – not when there's so much at stake. We can and we must do better." – President Obama, May 29, 2009.
These new initiatives come at a time when many organizations already feel the weight of validating compliance to more demanding cyber security regulations in the banking, healthcare and government sectors. Unfortunately, the measures we are taking to protect critical cyber assets and sensitive consumer data are not adequate when the emerging threat is further analyzed. While not universally accepted, I think we are moving into a period of cyber warfare that will dramatically change how we protect all critical infrastructure, including information technology.
I recently attended a conference in Washington D.C. where the expert speakers outlined the current ongoing international treaties. The United States and 26 other countries are trying to define "cyber war" and outline acceptable protocols to respond to cyber attacks. In one interview, Congresswoman Michele Bachmann of Minnesota declared that the U.S. could not dismantle more of its nuclear capacity in the event we need to use our kinetic strike capability to respond to a cyber attack. Really?
My take is that cyber security is just now starting to become a national priority and we will see some of the following legislative items approved over the next few sessions:
The 46 State Notice of Breach Laws will be replaced with a single federal law that carries even more strict enforcement requirements. However, I suspect that over-reaching states like Minnesota, Massachusetts and California will have some of their cyber security requirements pulled into a more reasonable program.
Cyber criminals will go to jail. It will be easier to prosecute cyber crimes and the penalties will become much more severe.
The Department of Homeland Security (DHS) will play a much larger role in providing oversight for cyber security. It will drive even more rigid audits and measurement of regulatory programs. They are already increasing staff in these areas.
A Consumer Bill of Cyber Rights will make it much more difficult to violate personal privacy. For marketing companies, get ready. The reporting of personal information disclosure will also move to a higher level. We will not get to the EU level of personal privacy, but the limitations of data sharing will increase.
Law enforcement will get new rights. It is unclear whether antiquated wire tap laws on electronic surveillance will be removed, but a "Big Brother is watching" concern is a possibility.
Aside from enhanced cyber security legislation at the federal level, I was caught off guard when talking to one of my West Point classmates recently. He works for the new U.S. Cyber Command. I asked what infrastructure they were protecting and his response was enlightening. He said, "Who said anything about defensive operations?" It appears that the U.S. is finally responding to other nations’ overt cyber espionage against us with our own offensive capabilities. Go Red, White and Blue.
As a cyber security professional, these predictions may be a bit self-serving. But I cannot ignore the compelling arguments to drive even higher levels of data protection in the future. Accordingly, I advise each of you to evaluate your current cyber security programs and budgets to ensure they are aligned to the increasing demands that I see on the horizon.