Federal Cybersecurity Carrots and Sticks

In my last blog, I highlighted a recent ESG research survey of cybersecurity professionals working at critical infrastructure organizations (note: I am an ESG employee). As a review:

• Only 22% of critical infrastructure cybersecurity professionals believe that the U.S. government’s cybersecurity strategy is extremely clear and thorough. The vast majority remain confused and/or underwhelmed.
• In spite of this misconception, 83% of cybersecurity professionals working within critical infrastructure industries say that the U.S. government should be more active with cybersecurity strategies and defenses.

So the infosec crowd wants Uncle Sam to put more skin in the game, but what specific actions should the U.S. government take? Survey respondents were given a list of potential federal cybersecurity actions and asked to select which of these the government should move forward. Here’s what they said:

• 47% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should create better ways to share cybersecurity information with the private sector. Good news for the Washington crowd as this aligns with President Obama’s Executive Order and several pieces of legislation making their way through congress.
• 44% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should create and publicize a “black list” of vendors with poor product security. Clearly, these infosec pros want more accountability in the cyber supply chain. Interesting idea, but with all the money flowing to K Street lobbyists, this will never happen.
• 40% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should limit federal government IT purchasing to vendors that demonstrate a superior level of security in their products and processes. I like this one assuming that the feds could establish an objective set of metrics as a guideline. This suggestion could actually be a white list proxy for the “black list” suggestion above.
• 40% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should enact more stringent cybersecurity legislation along the lines of PCI DSS. Hmm, these infosec pros (i.e. those on the front line) are recommending something that Congress and organizations like the U.S. Chamber of Commerce have been so opposed to. Kind of a NIST cybersecurity framework with teeth. Are you listening, Congress?
• 39% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should enact legislation with high fines for data breaches. A sort of financial Scarlet Letter? Once again, K Street lawyers would get in the way here.
• 37% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should provide funding for cybersecurity professional training and education. I couldn’t agree more, but what’s needed is a concerted cybersecurity education strategy with funding for centers of excellence rather than the current peanut butter approach backed by meager funding.
• 36% of cybersecurity professionals working at critical infrastructure organizations said that the federal government should provide incentives (i.e. tax breaks, matching funds, etc.) to organizations that improve cybersecurity. This too makes sense if the feds can establish useful and objective metrics for strong security.

Attention Washington: an important constituency, cybersecurity professionals working at critical infrastructure organizations, is asking for your help. This group wants to see a detailed cogent cybersecurity strategy and more action. They also want you to sweeten the pot for organizations that make positive cybersecurity contributions and punish those that don’t. So stop treating cybersecurity as a political football and get busy!

If you’d like to read more, the ESG research brief is available for download here.