February 22, 2012, 11:01 AM — While the government may be in a rush to get the Cybersecurity Act of 2012 enacted, many in the industry are saying: not so fast.
Chief information security officers, industry analysts, and others question whether the move is needed--or even wise.
"The Federal government already has the power to put security requirements into all of its purchase requests--in fact, in many cases it already does so. This is the biggest area where the government can improve security--by driving the software and IT companies to develop more secure products," said Gartner analyst John Pescatore.
"Not by trying to mandate security levels," he said.
[See CSOonline's exclusive directory of security-related laws, regulations and guidelines]
As covered late last week in our story Lieberman: Cybersecurity Act of 2012 will help us protect critical infrastructure , the law aims to give the Department of Homeland Security the power to mandate the security level in industries it deems as critical infrastructure, such as power and telecommunications, water and treatment plants, wireless providers, and others.
Sen. Susan Collins, R-Me., was quoted as stating that cyberattacks are coming from all directions and that "this bill is urgent," adding that "we cannot wait until our country suffers a catastrophic attack."
"If they're that worried about a catastrophic attack, maybe they should consider putting more emphasis on incident response plans, rather than trying to set some bar they believe is a fair level of security," said a security analyst at a mid-western utility, who spoke on the condition of anonymity.
"We've been quite active in securing our cyber infrastructure with NERC (North American Electric Reliability Corporation) standards. Even pushing beyond those requirements. The concern is that we get the unintended consequences public companies had to endure with Sarbanes-Oxley," the analyst said.
Eric Cowperthwaite, CISO at a major healthcare provider, agrees that the bill may bring unintended results. "Look at the HIPAA Security Rule. It was designed to be a risk management-based rule. But, not understanding the power of the hospital compliance culture, the regulators didn't understand that it would become a very difficult compliance nightmare," he said.
"Complying with a risk-management rule is basically not possible if your view is that you have to check off the boxes you have completed," Cowperthwaite said.
He also pointed to the state data breach disclosure laws, citing the negative impact the encryption safe harbor provided in many of these laws. "Encryption of laptop hard drives is now a standard practice even if there is no significant risk."
"Could that money have been better spent on other security efforts?" he asks.
"They [the bill authors] put all the pain on the end user in the hope that that'll drive the change, but you typically end up breeding this culture of compliance where end users try to argue that they don't have any critical assets, or they'll downplay the criticality of the data and the systems they have," said Nate Kube, chief strategy officer for Wurldtech, a security testing and remediation solutions provider to critical infrastructure suppliers, system integrators.
Gartner's Pescatore contents that he'd prefer to see a focus on the government leveraging its vast buying power to drive secure software and product development.
"One of the many cybersecurity bills floated over the past 5 years had that focus. This is a much better approach than on trying to mandate add-on security, by a long shot," he said.
