I'm wondering if this is really needed, or if it's just another case of politicians trying to find a role in this issue -- and possibly doing more harm than good by trying to tell IT how to do its job.
There is little doubt that computer networks are under attack. Groups like Anonymous have shown they can bring down Websites and networks at will -- even supposedly secure sites like the CIA's. If bad guys got into networks that run the country's electrical grid or telecommunications network, things certainly could get ugly quickly. From that perspective, I suppose one could look at this issue as a national security problem, which gives the government a role in making sure these systems are secure.
US President Barack Obama speaks at the CIA. (Source: Wikimedia)
It's important to note that, according to Businessweek, as drafted, the executive order would create voluntary cybersecurity standards. The administration would work with the National Institute of Standards and Technology (NIST) to draft the regulations. What's more, the government could use incentives to get businesses to comply with its specifications, but it doesn't seem like any company would be forced to follow the order.
But even with those caveats, I'm afraid it's not quite that simple. The companies that run computer networks are private businesses trying to compete in an open marketplace. They have to make decisions all the time that balance competitive advantage against security. Whether it's dealing with phishing (which uses spoof emails to get in the front door with an unwitting employee's help) or hackers forcing their way through the back door via the firewall, IT must deal constantly with threats to network security.
If it were less complicated, IT would just lock down the company, and nobody could get in or out. Employees would have their email carefully screened and would be allowed to access only a pre-approved set of Websites. But life isn't that easy, and IT often doesn't have that kind of control over the network anymore. Employees need access to the Internet to do their work. For better or worse, that means the possibility of exposing the network to rogue sites. Many employees need to use social networking to do their jobs. You can't limit access to Facebook, for instance, when business is being conducted there.
That's why the whole idea of legislation or an executive order raises questions about the government's role in setting IT policy at all. It might seem sensible to establish blanket security policies for IT, but enterprises are not government entities, and it's tricky business for the government to tell these businesses the best way to secure their own networks. If I were an IT pro, I think I would be scared to death of the prospect of politicians trying to tell me how to do my job. It's hard enough to secure a network without Congress and the president throwing around their uninformed opinions on the matter.
Then there's the matter of the government compelling companies to act on behalf of law enforcement. That can also be a thorn in the side of private businesses that are forced to use valuable resources to collect and find data in response to requests from officials. If you're a telecommunications company, I can imagine you would have to devote whole staffs to this type of thing.
I'm not going to suggest that the government has no role in regulating business. In my view, it absolutely does, but you have to tread very carefully when it comes to cybersecurity. By trying to define security policy, the government could end up doing more harm than good in the name of protecting us.
Well, PCI is a way of making sure that you're somewhat up to standards with security in your network (only around systems with credit card information).
It's a good starting point, but pretty much it's just standards. The thing is that all the big name hacks of data and credit card information are all most likely PCI compliant.
We'll have to see what's in the Executive Order, but since the legislation which McCain and co. killed in the Senate was based on White House guidelines, I'm not expecting any surprises. In fact, I'm not expecting content as such. Here's my prediction: the Executive Order will make certain agencies responsible for setting security benchmarks, and will define which national grid suppliers/vendors are governed by the benchmarks.
That's it. So don't expect detail; you just have to decide whether you think the government should set benchmarks on a critical national security issue or leave it to the private sector. There's a philosophical debate there which I'm sure we won't resolve.
Agreed it's not for PR, but just because the government has good intentions doesn't mean it's a good idea or that we should automatically get behind whatever it comes up with. As we've seen with SOPA/PIPA, the government doesn't always come up with good ideas when it comes to technology and the internet, and it's hardly a benevolent third party.
I believe that they're doing this not for PR because people are going to be expecting results, especially those in IT. I think it's a good initiative by the government and rather than trying to find something negative with their intentions, people should support it because it's going to benefit all of us.
Very interesting - I'd have to think this through a little more. "What's more, a homogenized security plan would seem to be more vulnerable than individualized ones designed by companies to meet their own unique market-security balance."
I would say that PCI does something similar and we all know how well that's working. In defense of regulations like PCI, it does bring you up to a certain standard, but going above and beyond is what most people don't do.
To your point if that's that case attackers would than start looking at other ways to penetrate that might not be fully covered by the regulation.
I'm not sure it's just for PR. I think the government truly believes it has a stake in making sure that computer systems stay up and running and are not vulnerable to cyber attack.
You should click through to the BusinessWeek article I cited in the post. It discusses possible incentives, although it's not entirely clear what the final executive order or bill would include.
As the article points out if the bill/order were to require companies to submit written security reports, this is an increased burden on business and it exposes a company's security plans, which in itself is inherently insecure. My feeling is there needs to be a lot of care and thought put into any legislation or EO that would compel companies to share their security plans.
What's more, a homogenized security plan would seem to be more vulnerable than individualized ones designed by companies to meet their own unique market-security balance.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Recently, the Obama administration has been of two minds where privacy rights are concerned. On one hand, you have an administration that vowed to veto CISPA and mandated open data for government websites. On the other hand, you have an increasingly out-of-control Department of Justice on a fishing expedition at AP and demanding legislation to let the FBI wiretap private, encrypted communications and levy fines if a company fails to comply.
These days, even some usually techno-friendly people have their hackles up about the potential of Google Glass to surreptitiously record video or take pictures. I've heard more than one tech savvy friend bring up "the creep factor," the ability of a weird guy to secretly record you.
Last year as you may recall, the Internet community rallied and prevented the passage of SOPA/PIPA legislation. CISPA, another piece of legislation that targeted Internet freedom, also died. However, one proposed law that failed in 2012 has been revived this year. And it appears forces are not now lining up against CISPA with the same enthusiasm as last time.
You might be surprised to learn that the FBI has generated hundreds of thousands of secret information requests since 2000, many of which go to Internet companies seeking information about individual users. You may be even more surprised to discover that in all those years, only one Internet company has challenged these secret requests.
Late Friday I learned I had been chosen to participate in the Google Glass Explorer's program, a group selected to take the first-generation of Google Glass out in the world and report back on how they're using the devices.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
