Federalizing cybersecurity: Necessary or nitwitted? (a sequel)

A fresh batch of data breach disclosure legislation has me revisiting the debate over how much of a role Washington should play in this matter.

My viewpoint used to be a lot more liberal in this area. I felt the more legislation, the better.

But having watched the federal government fail so badly at securing its own house, my doubts are growing.

Let's look at the latest activity, as reported by my buddy George V. Hulme:

After several large breaches -- including the Epsilon, Sony, and Citigroup incidents that left customer financial data exposed -- federal lawmakers are dusting the covers off of an old idea: national data breach notification laws.

Since the inception of the California Data breach Disclosure Law, known as SB 1386, most states have since followed suit -- leaving a mishmash of data breach notification laws across the country. Proponents of a national law contend that a federal data breach disclosure standard would simplify the rules for business -- so they know exactly what events would trigger a mandate for notification.

One piece of legislation being introduced, The Data Security and Breach Notification Act of 2011 by Sen. Patrick Leahy (D-Vt.) and co-sponsored by Sen. Charles Schumer (D-N.Y.) and Ben Cardin (D-Md.) would mandate organizations that possess personal information to put in place "reasonable" security procedures to keep that data secure. Should the organization endure a breach, those affected would have to be notified. Also, in line with what has become standard practice today, organizations would have to supply consumers access to credit reports or credit monitoring services for a period of time.

Also this week, Rep. Mary Bono Mack (R-Calif.) released a draft of a bill that also calls for a national notification standard for enterprises that suffer data breaches. Mack's bill would mandate that firms notify the Federal Trade Commission and breach victims within 48 hours of the scope of a breach being assessed. The legislation, in its current form, would give the Federal Trade Commission the power to fine companies that fail to comply.Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

A couple years ago, when I was more in favor of a federal law to replace all the state laws, I wrote a story about what security practitioners saw as the pros and cons.

Some of what people told me remains relevant today, so let me share some of it:

The U.S. Government has had a lot of trouble getting its IT security house in order. Hackers from China and elsewhere keep breaking into government networks to conduct espionage. Federal cybersecurity directors keep quitting.

And so it's no surprise that some IT security practitioners are underwhelmed by the suggestion that government needs the authority to enforce cybersecurity in the private sector. As one security pro put it in an exchange on Twitter, "Well, they do such a fine job of keeping their own stuff in order."

Rich Mogull, a former Gartner analyst and founder of security consultancy Securosis, said a deeper government reach into the private sector may make sense under certain circumstances, but not in the broader sense.

"I think it's reasonable for critical infrastructure and government contractors, but if it extends into general business, it's doomed to failure," he said.

For one thing, he said, the government has shown no ability to secure itself. "Perhaps the re-prioritization of a new administration will improve that, but there is immeasurable institutional momentum to overcome," he said.

While the NSA plays a critical role in cyber-intelligence, Mogull said it is not the right entity to manage our national defensive cybersecurity. "The missions fundamentally conflict," he said. "If we want to leverage their extensive expertise, a separate agency should be created and charged with the defensive role, reporting to a cybersecurity head outside the intelligence infrastructure."

Pete Stagman, owner-senior engineer at Stag Data & Cable and senior engineer at Global Digital Forensics, said the prospect of federalized cybersecurity leaves him uneasy.

"I'm not crazy about this at all, especially the part that 'would require the National Institute of Standards and Technology to establish measurable and auditable cybersecurity standards that would apply to private companies as well as the government [and] require licensing and certification of cybersecurity professionals,'" he said. "Creating a set of standards will create a false sense of security among private sectors higher ups, who will say, 'If we are following the government guidelines, then we're safe."

Any professional walking in with a new set of recommendations is going to hit a brick wall, he added.

Much has happened since that article was written. President Obama brought in Howard Schmidt as his cybersecurity adviser and a lot of initiatives have been launched. Earlier this year, for example, The U.S. Department of Commerce launched an office focused on promoting online trusted identity technologies, although much of the effort is to be driven by private vendors.

But on the legislative side, there's still reason for pause.

It's good to see lawmakers increasingly focused on data breaches and how companies handle them. But is there really anything a federal data breach law could accomplish that all the state laws haven't accomplished already?

The bigger concern is the confusion a new federal law could cause among companies that just spent the last few years understanding what they needed to do for compliance and security (Note: These are two different things. To be compliant does not mean to be secure.)

At this point, I think the state laws should be enough. But mine is just one opinion. I want to know what you think.


--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)