Industry on Cybersecurity Act of 2012: Not so fast

While the government may be in a rush to get the Cybersecurity Act of 2012 enacted, many in the industry are saying: not so fast.

Chief information security officers, industry analysts, and others question whether the move is needed--or even wise.

"The Federal government already has the power to put security requirements into all of its purchase requests--in fact, in many cases it already does so. This is the biggest area where the government can improve security--by driving the software and IT companies to develop more secure products," said Gartner analyst John Pescatore.

"Not by trying to mandate security levels," he said.

[See CSOonline's exclusive directory of security-related laws, regulations and guidelines]

As covered late last week in our story Lieberman: Cybersecurity Act of 2012 will help us protect critical infrastructure , the law aims to give the Department of Homeland Security the power to mandate the security level in industries it deems as critical infrastructure, such as power and telecommunications, water and treatment plants, wireless providers, and others.

Sen. Susan Collins, R-Me., was quoted as stating that cyberattacks are coming from all directions and that "this bill is urgent," adding that "we cannot wait until our country suffers a catastrophic attack."

"If they're that worried about a catastrophic attack, maybe they should consider putting more emphasis on incident response plans, rather than trying to set some bar they believe is a fair level of security," said a security analyst at a mid-western utility, who spoke on the condition of anonymity.

"We've been quite active in securing our cyber infrastructure with NERC (North American Electric Reliability Corporation) standards. Even pushing beyond those requirements. The concern is that we get the unintended consequences public companies had to endure with Sarbanes-Oxley," the analyst said.

Eric Cowperthwaite, CISO at a major healthcare provider, agrees that the bill may bring unintended results. "Look at the HIPAA Security Rule. It was designed to be a risk management-based rule. But, not understanding the power of the hospital compliance culture, the regulators didn't understand that it would become a very difficult compliance nightmare," he said.

"Complying with a risk-management rule is basically not possible if your view is that you have to check off the boxes you have completed," Cowperthwaite said.

He also pointed to the state data breach disclosure laws, citing the negative impact the encryption safe harbor provided in many of these laws. "Encryption of laptop hard drives is now a standard practice even if there is no significant risk."

"Could that money have been better spent on other security efforts?" he asks.

"They [the bill authors] put all the pain on the end user in the hope that that'll drive the change, but you typically end up breeding this culture of compliance where end users try to argue that they don't have any critical assets, or they'll downplay the criticality of the data and the systems they have," said Nate Kube, chief strategy officer for Wurldtech, a security testing and remediation solutions provider to critical infrastructure suppliers, system integrators.

Gartner's Pescatore contents that he'd prefer to see a focus on the government leveraging its vast buying power to drive secure software and product development.

"One of the many cybersecurity bills floated over the past 5 years had that focus. This is a much better approach than on trying to mandate add-on security, by a long shot," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about GartnerISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place