In Monday’s blog, “Why Rockefeller-Snowe’s Regulations Won’t Prepare The U.S. For Cyberwar,” security expert Richard Stiennon provides a straightforward analysis of why we can’t effectively regulate cyber security. In a nutshell, passing a new cyber security bill would do nothing to better prepare us for cyber attacks. What we need to do is beef up our defenses with accepted security practices. I couldn’t agree more.
Historically, legislation has proven to be woefully inadequate in preparing the U.S. for cyberwar. Why? Because there are no consequences. Until there are repercussions or someone is going to lose their job for not being secure, this will continue to be problematic. This is where the government is missing the boat. Trying to legislate cyber security without holding organizations accountable seems to be the crux of the problem.
Unfortunately, our friend and newly appointed U.S. Cyber Security Czar, Howard Schmidt, is in a tough spot. With no budget or real authority to levy consequences, there’s not going to be much change. Although many believe the government can and should be leading the way to improve the nation’s cyber defenses, Mr. Schmidt believes the best defense remains in the hands of the private sector.
It all comes down to holding people accountable. Without repercussions, there’s no incentive for companies to spend money to get out of the status quo in terms of what security best practices are, and start thinking in a more proactive manner.
It’s only when people’s jobs are on the line that things truly get done. Only then will we start to move beyond our reactive mindset and get ahead of the problem by implementing proactive solutions such as application whitelisting that adequately prepare ourselves for cyberwar.
[...] back to a recent posting on what we’re doing today to improve our cyber defenses. In the blog, “Repercussions, not legislation, key to improving nation’s cyber defenses,” I mentioned that we need to get out of the status quo network security practices and techniques [...]