This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
"Don't tread on me."
This centuries-old motto for American individualism and autonomy also symbolizes traditional attitudes toward government involvement in enterprise IT. The IT community historically has rejected government attempts to regulate areas such as Internet commerce and electronic privacy. In similar fashion, IT security departments largely have opposed government proposals for security regulation, regarding them as costly, intrusive and misaligned to the everyday challenges of information protection.
But a recent survey by Information Security shows that IT security's historical attitude toward legislation may be changing. In a significant about-face from the past, many IT security practitioners now welcome certain laws that would directly impact the way they secure their enterprise infrastructure (Figure 1).
In the survey, the magazine asked approximately 1,640 IT security practitioners whether they would support prospective cybersecurity laws that would...
Require nongovernmental organizations to adopt minimum security practices.
Criminalize the use of IT in the commission of a crime.
Require nongovernmental organizations to keep records that could be used in the investigation of crimes.
Require companies to report security incidents and loss to the government.
Ease restrictions on computer security investigations that involve national security matters. While the U.S. government has been debating some of these ideas for years, none of them has been broadly enacted into federal law. The Information Security survey is intended to gauge how much support these laws would get from the infosecurity community should Congress formally consider them. The survey also provides insight on the security community's attitude toward legal liability when it comes to product vulnerabilities and security incidents.
Minimum Security Practices
Among the five proposed laws included in the Information Security survey, the IT security community is most supportive of a law that would require nongovernmental organizations to adopt minimum security practices. (Many government organizations already operate under such mandates.)
Nearly two-thirds of survey respondents said mandated baselines and best practices would improve security at their organization. A quarter of respondents said it would have no effect, while only 9 percent thought it would make security worse.
"Imposing security requirements will ultimately force my organization to implement security practices, policies and auditing," says a security manager at a law firm. "[This] will make our security better."1
An administrator at a biotechnology firm agrees. "If laws are in effect, the company has to take [infosecurity] seriously and budget for it."
The large support base for mandatory minimum practices may reflect a level of frustration on the part of IT security practitioners, many of whom have had only marginal success in motivating senior management to devote the resources necessary to enforce baseline security policies and practices. (As the saying goes, the only time you get the budget you need is after your company has been hacked.) In that light, government-mandated security standards look like a good way to get the budget and attention security so sorely needs.
However, despite broad support for this law, a vocal minority of survey respondents adamantly opposed minimum security requirements. Many felt it would be impossible for the government to design and enforce standards that were broad enough to cover all industries and organization types but specific enough to apply to each company's unique environment.
"[It's] bad to have the government impose some standard on business when business technology changes so quickly," says a consultant who works full time at a bank. "[It's] best to keep private enterprise private."
On a practical level, a number of survey respondents mentioned that such a law would look good on paper, but might actually detract from current programs and policies.
"[It] would only serve to increase workload, without improvement in perception [or] staff understanding," says one college IT administrator.
IT as a Weapon
In the physical world, "armed robbery" is a much more severe criminal offense than "robbery." The very act of using a gun carries additional criminal penalties above and beyond those levied for the robbery itself.
Does using IT as a means of committing a crime elevate its severity in some way? Is a crime more terrible, damaging or invasive because IT is involved? Should there be a law that adds criminal penalties for using IT tools in the commission of a crime? If an employee uses his position of trust within the computer system to extort funds, should that be treated differently than if he didn't use the computer system?
The majority of survey respondents (56 percent) support a law that would add penalties if someone used IT to abet a crime (Figure 3).
"If it takes...criminalization to improve security, so be it," says one IT security consultant. "Virus authors, crackers and swindlers should not be permitted to remain on the loose."
Those opposed to such a law feared it might be extended to criminalize "dual-use" IT tools that can be used for both legal and illegal activities. Password crackers such as L0phtcrack and John the Ripper, for example, can be used to audit a password file (legal use) as well as break it (illegal use). If there's a law that criminalizes the use of L0phtcrack in a crime, it may cause authorized auditors and sysadmins to think twice about using it on their own (or a client's) systems, which could have an unintended chilling effect on security. The same argument applies to a host of other IT tools, such as network sniffers, vulnerability assessment scanners and penetration testing tools.
"My concern...is that people will take white-hat hacking/auditing/penetration testing done as a professional service (or even against your own organization) out of context," says a CIO from a managed security services provider. "[This could] result in false arrests, harassment or other complications in conducting business."
Some survey respondents questioned where to draw the line on dual-use technologies. One asks, "Why should you criminalize the use of IT in the commission of a crime? What else are you going to criminalize, vases thrown at spouses during domestic disputes? Punish the crime, not the tools."
This type of law also introduces the issue of consequential liability. If someone commits murder during an armed robbery, the gun shop that sold the weapon could be held liable if it didn't perform an adequate background check. If a law criminalizing IT were in effect, the manufacturers of dual-use tools might be held liable in a similar fashion.
Legislating an Audit Trail
Many IT and IT security administrators already collect reams of log data and records for many devices in the network: databases, mail servers, routers, application servers, gateway servers, authentication servers, etc. The paper trails from these and other devices often prove useful in a forensic examination of a computer crime, showing the where's, when's and how's of a security incident.
But what about a law requiring companies to gather and keep specific kinds of reports that could be used in the investigation of a crime? Overall, respondents to the Information Security survey support such a law, with 51 percent saying it would make security better.
Why would you support required recordkeeping? For the same reason you advocate minimum security practices. "The actual reporting and documenting of security threats would require our organization to develop a formal process and operation," says a chief security officer at a financial services firm.
"It can only help the security environment." While required recordkeeping would undoubtedly help cybercrime investigations, many respondents noted that such a law would also heap more work on already overburdened IT staff.
"The main issue with new laws are their impact on existing resources," says a chief security officer at a university. "There must be a benefit to the organization to report, keep additional records, etc. The burden would be great on small organizations."
Given the increased workload, it's not surprising that large and very large organizations are much more likely than small or medium organizations to support this type of law. Many larger organizations already have processes in place to collect and store relevant reporting data. For them, complying with such a law would involve less work than for smaller organizations, some of which don't keep any substantive IT-related records.
"The resources that would need to be allocated to comply with [this law] would most likely detract from the focus and budget of all other IT security operations and projects, effectively weakening them," says an IT manager at a small health care organization.
Reporting to "Big Brother"
Most IT security departments are fiercely protective of any information related to security, particularly when that information relates to a security breach. The concern is not so much a financial or technical one, but rather a deep-seated interest in protecting the company's reputation and public image.
It may cost several thousand dollars to recover from a security breach, and thousands more to make sure the same incident doesn't happen again. But that's a drop in the bucket compared to the adverse financial and reputational impact a company could face if news of the incident makes The New York Times. It's a lesson that Citibank, Egghead and CD Universe, among others, learned the hard way.
It comes as little surprise, then, that most IT security practitioners oppose a law that would require them to report incidents to federal authorities. Only 38 percent of survey respondents said it would make security better.
Those opposed to the law say they don't trust the U.S. government to safeguard their information effectively.
"Reporting to the government would probably put us out of business," says the director of an application service provider. "Why? Because the government is a sieve, and anything that we reported to them could spread like wildfire to our customers and/or potential customers."
In an interview with Information Security, Bill Smith, chief technology officer and president of interconnection services with telco BellSouth, says it's "counterproductive" for his company to share security-related information with federal authorities, even when national security may be at stake.
"Since 9/11, state, local and federal authorities have tried to get their arms around the potential threats to the nation's infrastructure," says Smith. "They have asked us questions like, 'What are the 100 most vulnerable places in the network?'
"As much as we'd like to help the government in its attempt to help us...[if such information] were released, it would provide a terrorist with a road map to our key locations."
A manager at a manufacturing firm questions the practicality of such a law given the government's own staffing and resource shortfalls. "Reporting to the government is useless if there is not a large financial loss," he says. "They are way too understaffed to handle it, and powerless to do anything meaningful (e.g., counter-hack the hacker)."
National Security Matters
Despite the looming threat of terrorism and a general acknowledgement that criminals on all levels use the Internet to communicate and coordinate, IT security practitioners vehemently oppose a law that would place fewer restrictions on national security investigations than on other criminal and civil investigations (Figure 7).
Some of those who support such a law said, in effect, that drastic times call for drastic measures.
"We are in a war against terror," an analyst at an IT security consultancy says, "and the bad guys use the Internet and our laws to undermine our personal security. Therefore, we must fight this terror with every weapon available to us."
But in the minds of nearly three-quarters of the survey respondents, the importance of privacy and civil liberty far outweigh the investigative benefits that eased restrictions would provide.
"No investigation should be above the laws that govern the protection of the privacy and rights of lawful individuals," says a consultant at a manufacturing firm. "If you give up freedom for the sake of security, you will receive neither."
More than a few respondents went so far as to quote Benjamin Franklin in defense of "civil cyberliberty": "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Also in this issue
cybersecurity laws needed for operational IT security
Andrew Briney says the U.S. has already adopted several IT security laws, but few affect operational security.
security laws: Are they worth it for your organization?
Who wants the government's help? Who wants to be left alone? A look at the different perspectives.
Last November, the president's Critical Infrastructure Protection Board (CIPB) formally closed the comment period on its "National Strategy to Secure Cyberspace." This document outlines more than 80 recommendations for improving security across all sectors of the economy, from consumers to small businesses to global enterprises to government agencies on the local, state, national and international level.
While some in the IT community lauded the CIPB's effort, others criticized the strategy for not going far enough. The "recommendations" in the plan are just that: suggested practices, not mandated guidelines.
While the CIPB outlined a framework for approaching the problem, only Congress and the White House can force private sector business to beef up security. The $64,000 question is, will it ever happen? Will the government ever mandate the types of broad-sweeping laws outlined in our survey? The answer, at least for the next several years, is: unlikely. The reasons are deep-seated.
For one, big business has a strong influence on Congress, and will never advocate for more government regulations, because complying with regulations costs money. And as every grizzled IT security veteran knows, management will spend money on security only when they have to.
Perhaps a deeper reason involves IT security's lack of "community." A community has to have a common purpose, rules for membership and a way to enforce standards. If the community is powerful enough, it can enlist law in support of its objectives.
But there is no real community for IT security. Indeed, the IT industry as a whole is just now making itself felt in government. According to one estimate, computer/Internet industry contributions to political candidates are only about 15 percent of the amount contributed by the financial industry.
So while the IT security community favors broad-sweeping security regulations in some areas--particularly in the area of minimum security requirements for all businesses--it's more likely that the government will continue to favor issue- or industry-focused legislation. In that sense, HIPAA and GLBA, for all their problems, may be harbingers of regulations for other industries, including manufacturing, telecommunications and IT.
1Respondents to the Information Security survey provided demographic information such as job title and organization size/industry. However, to protect respondent anonymity, personal and organizational names were not collected.
About the author:
Andrew Briney is editor-in-chief of Information Security.
This was first published in January 2003