Cybersecurity Legislation and APTs: Listen to the security pros

We are entering a new phase in the lengthy cybersecurity legislation saga. Last Thursday, Senators Lieberman (I-CT), Collins (R-ME), Rockefeller (D-WV), and Carper (D-DE) introduced the revised Cybersecurity Act of 2012 out of the Homeland Security and Government Affairs Committee. Old name, but the new bill (S.3414) is a true compromise. Rather than mandating that critical infrastructure organizations comply with a DHS cybersecurity framework, the new bill provides incentives to organizations that comply with cybersecurity best practices voluntarily. Furthermore, the new bill borrows from the best of the Republican-sponsored alternative SecureIT Act, as well as some of the more palatable measures outlined in the controversial CyberInformation Sharing & Protection Act (CISPA). 

As of today (Monday, July 23, 2012), there is no schedule for debate or a vote, but President Obama already declared his support for the new bill and publicized his opinion in the Wall Street Journal. 

Personally, I thought the old bill (S.2105) was a good start, but I understand the political realities of regulating the free market. Since this bill uses “carrots” rather than “sticks,” there is a bit of hope that it can achieve bipartisan support – an increasingly rare occurrence.

Of course, this bill comes under the scrutiny of a fundamental question: Do we really need legislation? As someone who lives in this world, I am convinced the answer is “yes,” but I am not alone. Last year, ESG surveyed 244 security professionals working at enterprise organizations (i.e. more than 1,000 employees), and asked them a series of questions about Advanced Persistent Threats (APTs). APTs are sophisticated attacks perpetrated by highly-skilled and well-resourced bad guys. The normal goal of an APT is the theft of Intellectual Property (IP), but there is no reason an APT couldn’t be used to corrupt a control system to shut down a power grid. 

ESG asked these 244 security professionals if the federal government was doing enough to help the private sector understand APTs and build the right coutermeasures. The vast majority (78%) of respondents said that the feds could do more in this area. When asked what actions the federal government should take:

• 45% said, “create better ways to share Federal cybersecurity information with the private sector”
• 41% said, “coordinate an APT task force”
• 40% said, “enact more stringent cybersecurity legislation along the lines of PCI”
• 35% said, “use diplomatic means to address APTs in the international community”
• 35% said, “provide funding for cybersecurity research and education”
• 34% said, “enact legislation with higher fines for data breaches”
• 34% said, “provide incentives to organizations that improve cybersecurity”

Clearly, cybersecurity professionals believe that the feds should take action and the latest cybersecurity bill contains many of their recommendations. I for one hope that sensibility and logic trump politics here, and that Washington does the right thing. I’m skeptical but hopeful.