Private sector fights on despite cybersecurity bill's failure

IT professionals don't need a federal law to prod them into an increasing their efforts to defend against cyber threats. They know they are at war daily with attackers ranging from criminals to "hactivists" to nation states, looking to damage or steal everything from infrastructure to identities to money to corporate and government intellectual property.

But the debate continues over whether corporations and government agencies guarding their own turf is enough, or if government still has a major role to play, especially regarding critical infrastructure that is in private hands but serves a public function.

The Cyber Security Act of 2012 failed last month after a vote to end debate on the matter failed to get the necessary 60 votes. Business and civil liberties groups had both objected -- businesses saying they would be too heavily regulated and the civil liberty groups complaining of a lack of privacy protections.

But it should surprise no one that, as Human Events reported this week, the failure of that legislation has not stopped the private sector efforts to defend against increasing threats.

While corporations are not about to reveal their tactics or strategy, Larry Clinton, president of the Internet Security Alliance, told the House Energy and Commerce subcommittee this past February that a survey by the Ponemon Institute estimated private-sector spending on cybersecurity at about $80 billion in 2011. He noted that the entire 2012 budget request for the Department of Homeland Security was $57 billion.

But Ponemon, which collaborated with Bloomberg Government on the study, released in January, said $80 billion is still not nearly enough, especially for crucial industries and operators of vital infrastructure. The study was based on interviews with technology managers from 172 U.S. organizations in six industries and the government.

Bloomberg News reported that the study found "utilities, banks and phone carriers would have to spend almost nine times more on cybersecurity to prevent a digital Pearl Harbor from plunging millions into darkness, paralyzing the financial system or cutting communications." Financial companies would have to spend 13 times as much to achieve the same level of security, according to the study.

Lawrence Ponemon, chairman of the Ponemon Institute LLC, told Bloomberg, "The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change. It would put people into the Dark Ages."

[See also: Advanced persistent threats can be beaten, says expert]

And even that massive increase in spending, the study found, would only boost those industries' capabilities from stopping 69% of attacks to 95%.

It would also not be enough to make the need for legislation moot, say security experts, who note that it should be obvious that business and industry will not share information with one another and the government unless they are required to do so by law, and are granted some protection from liability.

Joel Harding, a retired military intelligence officer and information operations expert, has been following Congress's so far fruitless effort to pass cybersecurity legislation with some frustration, but also with an understanding of political and business realities.

"Business and governments have different objectives when it comes to cybersecurity," he said. "But often government does not act, necessitating private-sector action to cause government action."

Harding said he hopes the failure of the legislation in August will prompt Congress to take the concerns of business more seriously. "If congressional language is not in line with what business wants, it might backfire in November, so a lot is on the line," he said.

Not everybody thinks federal legislation will make the nation's critical systems more secure, however. Liz Peek, writing in The Fiscal Times, contended that while President Obama is correct that cyber threats are "one of the most serious economic and national security challenges we face, she said, "the legislation he backed would not solve that problem."

"It calls for companies managing our power plants and stock exchanges to meet only minimal security standards while burdening those firms with costly compliance requirements," Peek wrote. "Moreover, it grants compliant organizations legal immunity in the event of an attack. In other words, companies would have arguably less incentive to truly protect our critical infrastructure than without the law."

"Passing the bill would have been another 'checked box' for the White House and for Congress -- nothing more," she added.

Peek cited Lamar Bailey, director of security research for nCircle, a security and information management company, who contends that Congress doesn't have the expertise to craft effective cybersecurity law. Bailey said his firm asked IT professionals at a recent gathering if they thought government regulation would improve information security for critical infrastructure, and 60% said no.

But Harding said the reality is that both government and business have a role to play, because some level of information sharing between the public and private sectors will be crucial in providing effective defense. He does agree it is going to be very expensive.

"To give the U.S. adequate security is going to take an extremely large sum of money," he said. " It is going to cause us pain, lots of it, but we need it to secure our future."

"The really good news is that I am seeing a lot of reports of the software industry finally taking security seriously," Harding said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place