Security and risk management are consistently among the top priorities of CIOs, but unfortunately those concerns rarely translate to the world outside the IT department. Recall the famous hack of the PlayStation network in 2011. Sony's response basically was "deal with it."
This past summer, SearchCompliance.com polled attendees at its virtual seminar on mobile security and found that 63% of the 654 participants said their organization is "mostly secure," but another 25% said their organization is "mostly unprotected" or "not secure at all." The brutal honesty of the 25% does not make me comfortable with the responses of the 63%.
The latest sign of this tension is that amid the chaos of post-election news regarding fiscal cliffs, the latest unrest in the Middle East, and the political scandal within the military, the U.S. Senate recently rejected the latest attempt at passing cybersecurity legislation to protect the nation's critical infrastructure. It seems, again, that cybersecurity is not that important of an issue, especially when so much else is going on.
But this is not the first time such legislation has failed. Congress has been trying to create comprehensive cybersecurity legislation for several years, but little has been accomplished. In fact, President Obama, in lieu of the failed bid of the Cybersecurity Act of 2012, signed an executive order that gives government agencies the power to act in cases of cyberattacks.
Security is no joke
One joke going around about the Petraeus scandal is that if the director of the CIA can't keep his email secret, then no one's email can be safe. But it's not a joke that we continue to be so blithely unaware of how permeable digital information is, no matter what safeguards are in place. The same goes for critical infrastructure. The North American Electric Reliability Corp.'s Critical Infrastructure Protection (NERC CIP) plan attempts to regulate the electric grid's security, but there are other systems, including communications, finance, oil and gas, among others, that are equally exposed as potential targets.
What is holding up the latest effort is not the policy of defending against cyberattacks per se; it's what businesses have to do in order to comply, and the fact that compliance be mandatory rather than voluntary. Security should be a non-partisan issue, whether it's the U.S. Congress or the corporate boardroom. Steps need to be taken to be secure regardless of the costs (financial, political and social). But as experts are saying, the now dead Cybersecurity Act became a political football, and one that didn't create much urgency in the first place.
Businesses and factions in government that are fighting the efforts to push cybersecurity reform should take a lesson from those companies who are leaders in creating socially responsible businesses, and not wait for the government to pass laws that require compliance.
Whether or not the Cybersecurity Act of 2012 was the perfect piece of legislation or not is irrelevant. The fact is, the country's political and business leaders continually determine that it's not in their best interest to take the time to make the legislation work for the public good. The prevailing wisdom is that they will deal with cybersecurity when they get around to it. But by then it may be too late.