There’s no question IT has revolutionized global business. It’s almost impossible to imagine how massive structures of information existed without it. Naturally, all the advantages of sophisticated information management come with one major disadvantage: the ability to be compromised.
Over the past seven years we’ve seen a new wave of cyber attacks and we can only expect them to get smarter and more ingenious. This astonishing ability to compromise nearly all of corporate America and the US government cannot be stopped with our current approach. It’s time for cyber security business leaders to adapt and adopt a new information-centric security mindset, because when it comes to the many (and multiplying) doomsday scenarios that will unfold in the coming decade, we need federal regulations that can protect us.
Wait, wait, don’t look away. Don’t avert your eyes. It is possible to be a strong opponent of federal regulation of any kind but still recognize the integrity of consistent and rigorous protocols to assure your enterprise is protected from competitor-aggressors as well as foreign-attack based initiatives. Business didn’t see this coming but they are targets in an unprecedented way.
Consider this: you no longer need an army, you just need a small group of hackers. Today, that’s all it takes to takedown giant corporate and government structures. This means power plants, airports, trading floors and everything in between. The recent attack on the New York Times from sources in China (which are believed to have come from a Chinese Army unit) make it evident that commercial and government entities alike are increasingly vulnerable in this changing threat landscape.
Another group of hackers in China compromised the computer defenses of the Chamber of Commerce – the U.S.'s preeminent business-lobbying organization, and in the process got information about the Chamber’s 3 million members and all of the information stored on the Chamber’s IT system. The unprecedented level of sophistication in cyber attacks is alarming: during the course of the cyber attack on the Chamber of Commerce a “thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China.”
That's close. Too close.
But we can manage our defenses. Whether it’s Ecrime, Cyber Espionage, Corporate Espionage or Cyber War it’s safe to say that everyone is playing and you don’t want to be late to this game. The fact is that almost every major country now has a cyber program. In addition, the Ecrime business is generating millions a month for globally organized crime syndicates.
Which brings us back to our key challenge from a computer security and regulatory point of view: most of our critical infrastructure is under the control of private industry. As I’ve discussed before, the reason we need aggressive regulation is because of the fatal assumption that private industry will work to secure systems to a level commensurate with the threats we face. This “self regulation” has been the status quo for over 25 years and hasn’t worked. It’s time we faced the truth and try a new approach. Having more robust federal IT regulation would trigger a dramatic change in operations as well as culture in the private industries that manage these environments.
Here are four key things we need to do:
- Lobby for effective federal risk management legislation with an eye to empowering an overall information-centric security approach. This approach should encompass all companies, not just those that fall within the quote unquote “Critical Infrastructure”.
- Minimize the need for duplicative audits (SOX, PCI, etc), base-lined against concomitantly robust insurance premium reductions.
- Develop appropriate security and protections for information sharing capabilities between U.S. government and private companies with information sharing levels and protocols for both routine (non-emergency) concurrencies and in order to more aggressively and actively defend ourselves and assist in the takedown of attackers during crisis management situations.
- Establish a federal standard for information security practitioners. With so much at stake why would we ever want to allow it to be managed without federal standards? Finance, Medicine and Law all have certifications for their practitioners, it’s time we in information risk management did as well.
Nobody likes more regulation. And with good reason. What business owner in their right mind would ask for a single new government regulation that might hinder or restrict their movements? It’s irrational and already most business owners feel over-regulated. But when it comes to internet security and cyber attacks, we need a new regulatory mindset around computer security.
It’s in everyone’s enlightened self-interest.