The FISMA Focus IPD

 Congress recently took an unearned vacation without passing some expected cybersecurity legislation, and now President Obama is reportedly thinking of getting the job done with an executive order. So we know what the amateurs are up to; now lets get some related thoughts from the experts on U.S. cybersecurity laws. For example, do we need a new policy? Will it do any good? What should it include?The answers might surprise you.

I spoke to a number of experts, and I collected a lot of great information so it’s going to take more than a single blog post to cover. In the following two posts, you’ll hear from representatives of Appthority, Axway, Kindsight Security, Rapid7, Raytheon Trusted Computer Solutions, Sensage, Foreground Security, AlgoSec and Bat Blue Networks.

But I thought I’d kick off this first post with comments from two folks who are almost as upset as I am about this whole mess.

Ladies and gentlemen, Jason Lewis, Chief Scientist at Lookingglass Cyber Solutions:

“First, legislation never fixes anything. It’s usually a knee jerk reaction to an event, and the legislation doesn’t take into account the endless ways around the laws. Ultimately, companies are forced to spend more money so they can check off a compliance box, but the solution doesn’t completely address the problem.

“The critical infrastructure legislation will most certainly make security vendors a lot of money. The idea behind the legislation is well intentioned, but it will become apparent that it doesn’t have teeth. The real solution will be painful to everyone involved and it’s easier to spend money than address the core problem, which is accountability. If the law stated that companies involved in security incidents had to shut down their business until they could prove they had addressed the issues, the number of breaches would be low and the level of security across all sectors would improve dramatically. Next, companies that are involved in critical infrastructure would need help funding upgrades and improvements in their security postures. It’s a difficult task to update critical SCADA systems without impacting operations. Congress can pass all the laws they want, criminals don’t obey the law. The mindset needs to shift to, ‘How can we make networks and critical infrastructure secure?’ and then do it.”

Mr. Lewis, have you considered running for office? I only have one quibble: A bunch of civil rights legislation fixed a whole lot of stuff in the past–but I understand the sentiment.

Next up is the only slightly less irritated Ashar Aziz, Founder, CEO and CTO of FireEye:

“What the U.S. needs is a bill that mandates critical infrastructure to have adequate safeguards against sophisticated cyber attacks. The final version of the bill that was defeated in the Senate was significantly watered down in order to appease the various constituencies. There was no requirement for any critical infrastructure entity to do anything new in terms of additional cybersecurity safeguards. There were only incentives to have better safeguards and the sharing of cyber threat intelligence. Government inaction seriously threatens the security of the U.S.

“Apparent opposition to the bill was motivated in part by Chamber of Commerce objections to the potential costs of the bill to private businesses. However, Chamber of Commerce objections to the potential costs to private businesses seem to be overstated, considering the final version of the bill mandated no additional cybersecurity protections for any critical infrastructure entity, other than reporting of serious cyber attacks.

“Viewing this issue through the prism of government regulation vs. free market autonomy is a mistake. Policy makers in the Senate and the House need to view this as a public safety and national security issue. Free market forces do not of their own accord always take public safety issues into account. In fact, as evidenced by the failure of this legislation to pass, they frequently oppose any changes even if they are necessary for public safety, as profit considerations sometimes override public safety concerns.

“There is an additional factor exacerbating this situation: The U.S. has already gone on the offensive in terms of sophisticated cyber attacks on another country (Iran). While we ourselves live in a gigantic and fragile cyber glass house, we have been throwing stones at others. Yet, we are unable to pass even the most basic and watered down legislation in order to protect this national cyber glass house.

“Given this unfortunate situation, I would urge President Obama to enact the main provisions of the bill, such as the creation of National Cybersecurity Council, and centers for voluntary exchange of cyber threat intelligence, via executive orders. Considering that the bill was already watered down via removal of all the mandatory provisions of the bill, the need for new legislation to accomplish the main tenets of the bill was already questionable. President Obama has the authority to enact these tenets of the bill via executive order. He also has the responsibility to do so, considering his primary role as President is the safety and security of the citizens and the country as a whole.”

Mr. Aziz isn’t the only one who’s unhappy with the Chamber of Commerce’s role in shaping the legislation. Just wait until you read the next two followup posts.