Cybersecurity Bill Won’t Magically Solve the Problem

The U.S. Senate is once again taking up the issue of cybersecurity. A bill — S. 21, the Cybersecurity and American Cyber Competitiveness Act of 2013 – was filed this week. It aims to do what the Senate failed to do in 2012 and create legislation to “secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses.”

Now, there’s no doubt that our nation’s critical infrastructure is at risk today. Not tomorrow, today. While I wouldn’t go as far as Janet Napolitano in saying such an attack is “imminent,” I do believe it is not only possible, it is inevitable. We know that there are serious security vulnerabilities in the computer systems operating our infrastructure, and we know that there are tools and methods available to cybercriminals that could cause damage to these systems. The only reason there has not been a serious incident on U.S. soil is because past enemies capable of such an attack have not had the motivation.

But the threat landscape is changing, with smaller – less friendly – nations arming themselves with cyberweapons programs in increasing numbers, and with other organized groups such as criminal syndicates and hacktivists joining into the battle, the chances of at least one attacker having the motivation is increasing rapidly.

The challenge is that there is no single solution to the problem. Each industry and each system has unique security challenges. Companies that operate such systems are looking for guidance and standards to help them prioritize where to focus.

While I do not believe that a cybersecurity bill will magically solve the problem, it will force the conversation forward from beyond fear and doomsday predictions to measurable action. Whether through incentive (the carrot) or through penalty (the stick), companies operating our critical infrastructure need to be pooling knowledge and taking real steps to improve their security.

A cybersecurity bill that tries to proscribe too much or force a specific solution onto the entire infrastructure industry will undoubtedly fail. In fact, it might cause more harm than good, by giving the country a false sense of security simply because some least-common denominator compliance goal is met. However, it’s hard to argue that something is worse than nothing. And if a cybersecurity bill forces the different industries to get together with cybersecurity experts, set meaningful standards, measure those standards, and continually update those standards, then it can be a huge success.

Bit9 provides Advanced Threat Protection for endpoints and servers using the market’s leading trust-based application control and whitelisting.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: