The White House came out with its cyber security proposal.
Verdict? Overall, a good step in the right direction but could use a lot more. While it tries to address some of the gaps that have existed for years, the proposal would benefit from some specifics. Actually, a lot more specifics. In some key areas, the proposal is “plan for a plan” as opposed to prescribing specific, actionable steps to protect data, intellectual property and infrastructure.
The Wall Street Journal reports today that the lack of specificity is designed to “appease companies” and “tries to strike a delicate balance between securing critical networks while not dictating security measures for the private sector. Under the proposals, companies would have considerable leeway to draw up new cybersecurity plans and measure their success at meeting them.” This approach improves the chances of a passage. Fine, but:
- For private industry, today’s Washington Times published an op-ed that uses PCI-DSS as a model for getting specific. The government could at least encourage an approach where industry self-regulates as credit card providers have done.
- For federal entities needing to protect data, the proposal mentions strengthening FISMA. Why not tie that into PCI? This could fall under the Critical Infrastructure Cybersecurity Plan. The lack of a PCI-like framework in proposal, especially when it comes to protecting citizen data, is a gap. We’ve seen states and private industry succeed with a specific approach, why ignore it?
The brightest component of the proposal is the emphasis on information sharing. Since attacks come from common places, this is a no brainer. Additionally, the White House recommends a common intrusion prevention system. Another excellent step.
Let’s look at the proposal a bit more closely.
- Data breach notification—As we blogged yesterday, this proposal is gaining momentum. Certainly, forcing people to admit there’s a problem is a good first step. However, you do run the risk of numbing the public with constant data breach notifications. But the real target here is CEOs who have to be sensitive to investors as data breaches and IP theft do impact share price.
- Synchronizing virtual crime laws with physical ones—No brainer. Basically, apply RICO (the racketeering laws used to convict organized crime) to cyber gangs.
- Voluntary assistance for industry, states and local governments—If there’s a cyber security issue, various groups can ask the government for help. When Microsoft recently identified the Rustock spam servers and notified the FBI to shut them down, spam traffic dropped 30% almost overnight. This makes sense as well though resource available will be an issue since the bad guys outgun the good guys.
- Voluntary Information Sharing with Industry, States, and Local Government. The importance of this can’t be overstated—cyberattacks are often launched from common platforms and locations. By sharing information on this, you can potentially stop attacks before they arrive at the gate. For example, after examining the infamous RSA breach, researchers identified several common attack locations.
- Critical Infrastructure Cybersecurity Plans. Basically, securing national grid and banking cyber infrastructure. The plan:
The Administration proposal requires DHS to work with industry to identify the core critical-infrastructure operators and to prioritize the most important cyber threats and vulnerabilities for those operators. Critical infrastructure operators would develop their own frameworks for addressing cyber threats.
This section is only a plan for a plan. Without specifics, no one can predict how successful this effort will be.
- Protecting Federal Government Computers and Networks—This section of the proposal addresses federal agency security. Again, more specifics are needed. However, the synchronizing agency use of intrusion prevention systems is a solid step. Another positive: the White House would prevent states from requiring the local storage of data so that cloud computing can flourish. However, as mentioned above, the lack of a specific framework is a gap.