I don't believe that, in the case of a lot of major companies, there's boardroom-level attention to information security.
Rep. Adam Putnam
R. - Florida
Blaster didn't cause last summer's massive Northeast power outage, the Federal Energy Regulatory Commission reported last month. But the timing of the two events fueled theories that the lights went out because the worm penetrated the SCADA systems controlling the power grid.
While investigators noted the fragility of the aging electricity distribution network, others saw the tremendous damage cyberterrorists or foreign adversaries could wreak if they disrupted the IT networks that control the nation's critical infrastructure.
Rep. Adam Putnam was already crusading to improve the security of the nation's critical infrastructure when the power failed from Ohio to New York.
The Florida Republican sounded a wake-up call last fall by drafting, but not filing, the Corporate Information Security Accountability Act, which would require publicly traded companies to file high-level security audits with the Securities and Exchange Commission. His intent: more cooperation from the private sector in shoring up the nation's critical infrastructure, 85 percent of which is owned by private enterprises.
"I don't believe that, in the case of a lot of major companies, there's boardroom-level attention to information security," says Putnam, chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
Companies can't function in an isolationist mode.
Rep. Tom Davis
R. - Virginia
Putnam's bill rattled the private sector. The last thing the C-suite wants is an onerous law imposing expensive security requirements. But big business' congressional allies are growing tired of the private sector's lackluster effort.
"People said to us that they think the private sector can do this alone," says Bob Dix, staff director of Putnam's committee. "[Putnam said,] 'Prove it. If you can come up with a plan that can move the ball up the field, I'll hold this legislation in abeyance.'"
Malware costs U.S. companies billions of dollars each year in lost data and productivity. Identity theft is the fastest growing and most widespread consumer crime. And a growing community of lawmakers, bureaucrats and security experts worry that the lack of oversight of private sector computer security is leaving the U.S. open to potentially crippling cyberattacks.
"Companies can't function in an isolationist mode," says Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform. "Because of the interconnectivity of systems, enterprises have to consider the risks of the systems and computers to which they will connect."
Enterprises--particularly the high-tech heavyweights--are beginning to see the inevitability of tougher security laws. The industry-sponsored National Cyber Security Partnership recently bucked the long-held industry stance by acknowledging that the government "may" have to legislate security to protect critical infrastructure and key economic components. Other industry-sponsored groups are developing best practices, implementation incentives and rewards for documenting good security.
Government intervention may be necessary, but how should the government act? Coming down with too heavy a hand could lock enterprises into expensive and potentially ineffective infrastructures. Coming down too lightly could lessen the intended impact.
"It's hard to know if legislation can solve this problem," says Rep. Jim Turner (D-Texas), who sponsored the Federal Information Security Management Act (FISMA), which requires government agencies to establish security management standards.
Beginning with the Computer Fraud and Abuse Act of 1986, federal lawmakers have periodically drafted legislation to improve bits of infosecurity in government agencies and private enterprises. More recent laws such as GLBA, HIPAA and Sarbanes-Oxley have raised the bar, forcing enterprises to secure proprietary information.
However, the feds have been reluctant to mandate baseline standards for cybersecurity or require private enterprises to report security incidents to law enforcement. Congress finds it difficult to craft broad legislation that is effective, universally applicable and not financially burdensome on enterprises.
Nevertheless, legislators on both sides of the aisle are taking note of the growing number of exposures and threats to critical infrastructure, consumer privacy and economic interests. They're telling businesses to improve their security--or else.
"What we see on Capitol Hill right now is 535 people looking around for a hammer," says Stewart Baker, a partner at the law firm Steptoe & Johnson in Washington, D.C. "When there's a crisis and significant damage, there will be a cry for legislation."
Without a major cyberattack causing substantial economic or physical damage, there's been no impetus to enact sweeping legislation. This has given Congress the latitude to support the private sector's desire for self-regulation. Several verticals have established Information Sharing and Analysis Centers, and the government has facilitated the growth of InfraGard, a public-private cyber- security partnership. The Department of Homeland Security is ramping up its US-CERT program, which will provide alerts and advisories on Internet threats.
The Bush administration did adopt the National Strategy to Secure Cyberspace, developed by former cybersecurity czar Richard Clarke, which established high expectations for securing privately held components of the country's critical infrastructure. But most observers say the strategy has no teeth and has been largely ignored.
It's hard to know if legislation can solve this problem.
Rep. Jim Turner
D. - Texas
Congress may legislate security, but that doesn't always translate into compliance. Even stringent legislation like HIPAA hasn't universally improved management attitudes toward infosecurity.
"I've talked to very large hospital chains where the CIOs don't believe in the law," says Carl Herberger, senior director of information security professional services at SunGard Availability Service. "They said, 'HIPAA? That's a bunch of hooey. It's one man's interpretation.' When you dive into what they've done, you find out that they haven't done anything."
The lack of a universal approach opens the door to civil litigation. Lawyers are salivating at the prospect of class action suits brought by people or organizations affected by hacks and computer outages. For example, several investor lawsuits were filed against FirstEnergy Corp. of Ohio after the company restated earnings in the wake of the Northeast blackout. And, last October, a proposed class action suit was filed against Microsoft for security flaws in its operating system that left an individual's personal data exposed to hackers.
"There are doctrines in the law that state the failure to meet regulatory standards is presumptive evidence of negligence," says Steptoe & Johnson's Baker.
That message isn't lost on Rep. Putnam. He has threatened to introduce legislation that sets security expectations and standards. "You would no longer be able to claim that you didn't know what to do," he says.
But many observers say that even well-crafted laws could not be equally applied, since the cost burden would weigh differently based on enterprise size. A large organization can afford to invest a small fraction of its IT budget for a law like GLBA. A small business, on the other hand, might need to dedicate a significant percentage of its IT budget to meet a law's requirements.
"Managers perceive that there's limited money to invest in security," says Jeffrey M. Stanton, dean of information studies at Syracuse University. "Lacking some big push, they could, for a long period of time, continue to not ratchet it up."
Some lawmakers and security advocates say the government should focus its attention on the companies creating the operating systems, databases, enterprise applications and other software that contain security flaws.
"We could pass legislation to make the product more secure if it's being used in one of our infrastructure systems," says Mike Higgins, professor of information security at George Washington University.
FISMA requires federal agencies to only purchase software that meets prescribed security standards. Several federal agencies--including the Department of Energy, Department of Homeland Security and National Security Agency--also require software vendors to configure products for security.
Rep. Turner says that by requiring vendors to produce ultra-secure versions of their software for the federal government--the country's largest software consumer--it's "much easier for the same products to be offered to private purchasers at a more affordable price."
Perhaps the single biggest problem is the expectation that legislation can "solve" the security problem. Enterprises have railed against such mandates, fearing the government will impose unrealistic solutions that won't solve their problems and will cost too much.
"Until we can accurately identify what the problems are and assign certain metrics that we can draw on and refer to in some kind of regulatory structure, the prospect that legislation can be counterproductive is real and troubling," says Greg Garcia, VP for information security at the Information Technology Association of America.
Ultimately, that's the challenge facing lawmakers: If they want to fix security expectations and requirements for the private sector, they need to craft legislation that is dynamic enough to meet the changing threats to the critical infrastructure.
Darwin John, executive VP of consulting at Blackwell Consulting Services, believes it's unrealistic to expect to solve a problem with a wave of the legislative wand.
"Somehow, we've got to figure out a way to make this work organically," says John, who is former CIO of the FBI. "It's not a fix--a point in time solution--because the environments and threats keep changing."
About the author:
Erik Sherman is a Massachusetts-based freelance writer.