The White House proposed computer security legislation this year, which has failed for a number of political reasons. Now the Obama administration is hinting about an executive order on this subject if Congress can't get its act together.
I'm wondering if this is really needed, or if it's just another case of politicians trying to find a role in this issue -- and possibly doing more harm than good by trying to tell IT how to do its job.
There is little doubt that computer networks are under attack. Groups like Anonymous have shown they can bring down Websites and networks at will -- even supposedly secure sites like the CIA's. If bad guys got into networks that run the country's electrical grid or telecommunications network, things certainly could get ugly quickly. From that perspective, I suppose one could look at this issue as a national security problem, which gives the government a role in making sure these systems are secure.
US President Barack Obama speaks at the CIA.
It's important to note that, according to Businessweek, as drafted, the executive order would create voluntary cybersecurity standards. The administration would work with the National Institute of Standards and Technology (NIST) to draft the regulations. What's more, the government could use incentives to get businesses to comply with its specifications, but it doesn't seem like any company would be forced to follow the order.
But even with those caveats, I'm afraid it's not quite that simple. The companies that run computer networks are private businesses trying to compete in an open marketplace. They have to make decisions all the time that balance competitive advantage against security. Whether it's dealing with phishing (which uses spoof emails to get in the front door with an unwitting employee's help) or hackers forcing their way through the back door via the firewall, IT must deal constantly with threats to network security.
If it were less complicated, IT would just lock down the company, and nobody could get in or out. Employees would have their email carefully screened and would be allowed to access only a pre-approved set of Websites. But life isn't that easy, and IT often doesn't have that kind of control over the network anymore. Employees need access to the Internet to do their work. For better or worse, that means the possibility of exposing the network to rogue sites. Many employees need to use social networking to do their jobs. You can't limit access to Facebook, for instance, when business is being conducted there.
That's why the whole idea of legislation or an executive order raises questions about the government's role in setting IT policy at all. It might seem sensible to establish blanket security policies for IT, but enterprises are not government entities, and it's tricky business for the government to tell these businesses the best way to secure their own networks. If I were an IT pro, I think I would be scared to death of the prospect of politicians trying to tell me how to do my job. It's hard enough to secure a network without Congress and the president throwing around their uninformed opinions on the matter.
Then there's the matter of the government compelling companies to act on behalf of law enforcement. That can also be a thorn in the side of private businesses that are forced to use valuable resources to collect and find data in response to requests from officials. If you're a telecommunications company, I can imagine you would have to devote whole staffs to this type of thing.
I'm not going to suggest that the government has no role in regulating business. In my view, it absolutely does, but you have to tread very carefully when it comes to cybersecurity. By trying to define security policy, the government could end up doing more harm than good in the name of protecting us.
— Ron Miller is a freelance technology journalist, blogger, FierceContentManagement editor, and contributing editor at EContent magazine.