Industry on Cybersecurity Act of 2012: Not so fast
Security experts fear the Cybersecurity Act of 2012 will cement a "culture of compliance"
February 22, 2012 — CSO —
While the government may be in a rush to get the Cybersecurity Act of 2012 enacted, many in the industry are saying: not so fast.
Chief information security officers, industry analysts, and others question whether the move is needed—or even wise.
"The Federal government already has the power to put security requirements into all of its purchase requests—in fact, in many cases it already does so. This is the biggest area where the government can improve security—by driving the software and IT companies to develop more secure products," said Gartner analyst John Pescatore.
"Not by trying to mandate security levels," he said.
[See CSOonline's exclusive directory of security-related laws, regulations and guidelines]
As covered late last week in our story Lieberman: Cybersecurity Act of 2012 will help us protect critical infrastructure , the law aims to give the Department of Homeland Security the power to mandate the security level in industries it deems as critical infrastructure, such as power and telecommunications, water and treatment plants, wireless providers, and others.
Sen. Susan Collins, R-Me., was quoted as stating that cyberattacks are coming from all directions and that "this bill is urgent," adding that "we cannot wait until our country suffers a catastrophic attack."
"If they're that worried about a catastrophic attack, maybe they should consider putting more emphasis on incident response plans, rather than trying to set some bar they believe is a fair level of security," said a security analyst at a mid-western utility, who spoke on the condition of anonymity.
"We've been quite active in securing our cyber infrastructure with NERC (North American Electric Reliability Corporation) standards. Even pushing beyond those requirements. The concern is that we get the unintended consequences public companies had to endure with Sarbanes-Oxley," the analyst said.
Eric Cowperthwaite, CISO at a major healthcare provider, agrees that the bill may bring unintended results. "Look at the HIPAA Security Rule. It was designed to be a risk management-based rule. But, not understanding the power of the hospital compliance culture, the regulators didn't understand that it would become a very difficult compliance nightmare," he said.
"Complying with a risk-management rule is basically not possible if your view is that you have to check off the boxes you have completed," Cowperthwaite said.
He also pointed to the state data breach disclosure laws, citing the negative impact the encryption safe harbor provided in many of these laws. "Encryption of laptop hard drives is now a standard practice even if there is no significant risk."