Lawrence M. Walsh
Published: 01 May 2004
Sen. Dianne Feinstein is the last person you want writing security legislation.
When asked by National Public Radio what could be done to fight cybercrime against privately owned networks, the California Democrat said, "What you can do is you can see that the state-of-the-art encryption is present on the large systems that have a high security profile; that's the first thing."
Huh? Like most Washington lawmakers, Feinstein is pretty clueless about the intricacies and challenges of IT security.
It's Congress' naivete that has the Business Software Alliance and the National Cyber Security Partnership urging corporate leaders to greatly improve their security programs. If the digital frontier isn't brought under control soon, as these groups correctly surmise, Washington will intervene, and there's no telling what the lawmakers and bureaucrats will conjure up.
No one ever gets a good feeling when they hear, "I'm from the government, and I'm here to help you." Consider some of the ideas circulating inside the Washington beltway:
- New York Sen. Charles Schumer wants to require enterprises to report to the government whenever they've been infected with a virus or worm.
- Texas Rep. Lamar Smith, Virginia Rep. Tom Davis and Utah Sen. Robert Bennett have each drafted bills that would compel private enterprises to disclose information to government agencies about their security programs and network compromises.
- Utah Sen. Orrin Hatch has proposed expanding federal law enforcement agencies' powers to investigate and compel corporate cooperation.
- Florida Rep. Adam Putnam, the latest cybersecurity crusader, is sitting on a bill that would require publicly traded companies to report security measures and incidents in SEC filings.
Enterprises fear broad, prescriptive security laws because such laws could actually do more harm than good. Infosecurity is a dynamic endeavor, constantly changing to meet new technologies, threats and solutions. In contrast, laws must be specific, otherwise they're unenforceable. Start legislating which firewalls and other security technologies must be used in IT networks, and enterprises will be locked into expensive and potentially ineffective defenses.
So far, the feds have opted not to tie enterprises' hands. But with 85 percent of the nation's critical infrastructure--electric, water, transportation, financial networks, communications, etc.--controlled by private enterprises, lawmakers are becoming more aware of the consequences of cyberattacks--or the dreaded "digital Pearl Harbor"--against the nation's economic and civil infrastructures.
Eventually, Congress will take action, and that means legislation--or what Corporate America calls expensive, unfunded mandates. Just look at what Congress created with HIPAA, GLBA and Sarbanes-Oxley: sweeping privacy and security requirements that are costing corporations billions of dollars in compliance costs. Image what would happen if Feinstein gets her way and the feds create a national version of California's Security Breach Notification Act (SB 1386).
As one Washington insider told me, the real challenge on Capitol Hill is keeping bad legislation from seeing the light of day. If enterprises don't create new frameworks and demonstrate improved security of the nation's critical infrastructure, they can expect to see onerous legislation. Sen. Feinstein, time for roll call!
About the author:
Lawrence M. Walsh is a former executive editor for Information Security magazine.