NEW YORK - Many people think the government's role in improving cybersecurity is imposing and enforcing regulations. But it can do a lot more positive reinforcement to encourage secure business practices, including serving as a trusted conduit for threat information.
Such was the message of Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security, yesterday. "We are not taking (regulation) off the table," he said yesterday at the Information Security Decisions conference. "But a combination of tough standards and incentive-based programs will foster better security more effectively."
Yoran makes an interesting point. Many would have the government use a stick to punish companies that aren't secure. There are already laws on the books such as the Health Insurance Portability and Accountability Act, which levies penalties for companies whose security is not up to snuff.
But what if the government rewarded companies for being secure or, at least, did things that would making being secure easier? SearchSecurity.com asked some conference attendees which is a better incentive.
"The problem is the government is not in the business of rewarding good behavior. It's much better at punishing bad behavior," said Jim Malcolm, a database manager for AT&T.
Other attendees said they would like the government to centrally manage the information it collects about threats. "I would like to see it centrally located at the Department of Homeland Security. There are still a bunch of parallel efforts," said Stephen Case, who works in an IT department for a U.S. bankruptcy court.
Case would also like to see more discussion and sharing of information among all security professionals in the government. "They only peripherally talk with each other now," he said.
David Olsen, a network administrator for ServiCom, would also see a central place for information for security professionals. The new US-CERT Web site is a good start. He thinks the government's role is to provide information but it is up to the industry to regulate itself. "A lot of government regulation takes a one size fits all approach. It would be difficult for a small business to implement measures geared towards enterprises and vice versa," he said.