The U.S. has already adopted several laws related to cybersecurity. However, these laws either don't affect operational IT security on a corporate or national infrastructure level, or affect only specific business practices within select industrial sectors.
For instance, the Children's Online Privacy and Protection Act (COPPA), enacted in 1998, was an early attempt to make the Internet more secure for children. But COPPA didn't deal with making the Internet operationally more secure. Similarly, legislation such as the Digital Millennium Copyright Act (DMCA), the Security Systems and Standards Certification Act (SSSCA) and the Consumer Broadband and Digital Television Promotion Act (CBDTPA) were advertised as "security" laws. But while IT security technologies are necessary to implement many of the provisions in these laws, securing the core infrastructure--at either a national or corporate level--is beyond their purview.
Recent industry-specific regulations--such as Health Insurance Portability and Accountability Act (HIPAA) for health care and the Gramm-Leach-Bliley Act (GLBA) for financial institutions--have a more direct impact on operational security, setting strict standards for the protection of confidential banking and patient data.
These regulations signal the federal government's willingness to regulate certain aspects of data security. The security laws proposed in the Information Security survey are much broader in scope and application, representing a paradigm shift in the government's involvement in private-sector security.
HIPAA and GLBA also foreshadow potential problems with the survey's proposed security laws. While these regulations are targeted at specific industries, many security managers say the rules are too vague when it comes to implementation.
"I have HIPAA breathing down my neck, and with no real guidelines, it makes it hard to make every health organization conform to one standard," says one survey respondent, an administrator at a health care organization. "What makes you think other nongovernmental organizations can do that?"
About the author:
Andrew Briney is editor-in-chief of Information Security.