John Markoff, of The New York Times, reported today that a government and technology industry panel on cyber-security is recommending that the federal government end its reliance on passwords and enforce "strong authentication." The Report is a strong indictment of government and private industry’s efforts to secure cyber-space by detailing a laundry list of serious break-ins to government and private sector computers, and the recommendation, by the commission, for the appointment of a cyber-security czar reporting to the President. The group argues that cyber-security is one of the most significant national security threats and that it can no longer be relagated to CTO’s and CIO’s.
Mr. Tom Kellerman, VP for Secuirty Awareness at Core Security Technologies, and a member of the commission, stated that "[t]he laissez-faire approach to cyber-security has failed." The Report suggests that new laws and regulations, concerning cyberspace, be adopted, and that the proposed regulations include new standards for critical infrastructure providers, like the finance and energy industries, as well as new federal product acquisition rules to force more secure products. What the report fails to emphasize, and should be considered, is the demand that corporations and government entities need to also do a better job of changing their culture within the organization to prevent breaches of information. This includes training, and advising of the latest updates to laws and regulations, and the adoptiong of uniform policies and procedures, specifically outlined for the organization. Microsoft and Verizon have both presented cyber-security reports that conclude "social" causes are a bigger threat to an entity than "technical" causes. This is one of the many reasons why cyber-security is a problem for the entire organization to deal with, and not just the technology folks.
However, there is a fundamental problem with adding more laws to address cyber-security – how are we going to enforce the new laws when existing laws are barely enforced? Some laws (like HIPAA) do not allow for a private right of action, and other laws stretch our regulatory agencies so thin anyways, that they are forced to pick-and-choose their "battles." Therefore, unless the laws provide from some sort of remedy outside of law enforcement, the limits of the laws may never be fully realized.
To read more about this news article, please click here: Panel Offers Ways to Bolster Security in Cyberspace